1 WebAssembly for the backend Adrian Cole OSS Engineer

Open Source late bloomer Currently all-in on wazero.io http-wasm.io and projects that use them 2 I’m Adrian from Tetrate codefromthecrypt on GitHub

Agenda Overview of WebAssembly Decouple programming language choice Safely run a binary inside yours Breaking the monolith part two Perils of programming wasm Closing thoughts 3 I work on these things and feel they are under-discussed

Not Agenda Web programming practice Smart Contracts, web3, etc. Edge functions Attempts to retrofit Docker WAGI aka CGI part two 4 There is a lot of content on these things, and we only have forty minutes!

Dive into WebAssembly 5 How more languages got into the browser, with a dash of jargon

WebAssembly is an embeddable virtual machine and bytecode format 6 crypto crypto = WebAssembly.instantiate(cryptoWasm) crypto[sign](ptr, len) ptr, len = copyToWasm(crypto, toSign) crypto.rs

7 ● Oracle JCP ● Dominates the backend ● Language bias. Ex field instructions ● Other languages share object model, GC, stdlib ● W3C Working Group ● Dominates the browser ● Hardware bias. Ex SIMD instructions ● Other languages bring their own object model, GC, stlib Virtual Stack Machines

WebAssembly host WebAssembly guest Is the embedding process e.g. a web browser, desktop application or microservice. Controls the guest e.g. instantiates guests, invokes their functions Might export functions e.g. functions that allow file access Is compiled to bytecode e.g. a %.wasm file the host compiles to machine code Has its own memory Functions work via numeric parameters or memory Might require functions e.g. will fail to start if functions aren’t available Host ~= VM Guest ~= module

Application Binary Interface (ABI) Services agree on how to communicate via Remote APIs. Compilers and components agree via ABI. The most common ABI used outside the browser is WASI. It defines functions similar to POSIX file I/O, clocks and env variables. 9 https://wasi.dev/

WebAssembly host WebAssembly guest wasi_snapshot_preview1 Importable functions: args_get clock_time_get env_get random_get fd_write … Required Exports memory: “memory” function: “_start” 


ABI are documentation, sometimes just markdown files! 11 Example: clock_time_get

WebAssembly for re-use avoid porting or rewriting code in another language 12

Wasm cannot directly affect resources like files. Guests call imported host functions with pointers to shared memory they own. 13 out, err := run(ctx, fi leFS(path), "dcraw", "-e", "-c", "input") Safely run a binary inside yours _start fd_read(input) args_get mem.Write(dcraw_-e_…) out.Write(mem) fi le.Read(mem) github.com/ncruces/RethinkRAW fd_write(stdout) memory dcraw.wasm wasi dcraw.c clang

Breaking the monolith part two WebAssembly as an alternative to microservices for some use cases 14

APIs, APIs, ABIs? We’ve learned you can break large codebases into smaller ones with micro services, communicating over APIs. We can sometimes use WebAssembly instead. Define supported ABIs and let users provide custom functions. 15 WARNING: WebAssembly is constrained and difficult. It may not be the right fit for you!

WebAssembly allows decoupling without RPC. Tools like go-plugin allow you to define ABI as protobuf services. 16 e.g. go-plugin gRPC Host Guest Decoupled with gRPC API Decoupled with WebAssemblyABI Monolith Breaking the Monolith Service

Breaking the CLI monolith WebAssembly as a way to modularize a command-line tool 17

18 ● Security and misconfiguration policy begs for modularity ● Sites prefer custom policy vs ignoring alerts or not seeing them. ● Policy needs code for analysis and classification

19 Challenges of a CLI ● Trivy is ultimately a CLI, built for several operating systems on several architectures. ● Packaging for Docker, GitHub Actions etc is easiest with a static binary. ● Getting into the default build isn’t viable or relevant for all policy.

Trivy provides an SDK which implements their custom ABI for config and analysis. Modules are installed locally or via OCI repository. 20 Trivy + wasm = site friendly policy trivy.dev acme-cves.wasm acme-cves.go Tinygo Trivy SDK ghcr.io/acme

Breaking the sidecar monolith WebAssembly as a way to modularize deeply embedded infrastructure 21

Sidecar monoliths Sidecars are usually monolithic, and while highly customizable, tricky to change. For example, Envoy versions are tightly coupled to Istio versions. Dapr is a static binary, so cannot custom libraries dynamically. 22

Customizing sidecars with HTTP Middleware My App Middleware 1 Middleware 2 Middleware 3 Dapr Sidecar Request Response You install this You built this You configure this

You want to break the monolith My App Middleware 2 Middleware 3 Dapr Sidecar Request Response My Filter You can’t change this binary You built this You want to own this code

Sidecars define the WebAssembly ABI they support Dapr (golang) runs http-wasm guests. It also allows use of WASI, though doesn’t require it. Middleware compatible with these ABI can change in any way without changing Dapr. 25

26 ● http-handler ABI implements HTTP server middleware ● The ABI defines functions the host and guest are required to implement ● Implementations exist for Go http.Handler and Node.js express, with more coming soon http-wasm.io

So.. WebAssembly can break the monolith My App Middleware 2 Middleware 3 Dapr Sidecar Request Response My Filter WebAssembly allows custom functionality in a static binary, based on an ABI contract http-wasm guest http-wasm host My Filter http-wasm/http-wasm-guest-tinygo v1.10

Perils of programming wasm Stick with pre-built binaries and SDKs while you can! 28

29 1. Download a pre-built binary 2. Compile your own binary, possibly with an SDK 3. Directly import and export wasm functions wasm 3 ways

SDKs implement the ABI, and compilation steps are abnormal 30 SDK example in TinyGo Global config Not stdlib Not go http-wasm/http-wasm-guest-tinygo

You can directly access imported functions by (module, name) pair 31 Manual example in Rust Import name No strings Import module

Compilers are different or at least need different flags. Performance varies and is runtime specific. Benchmark! There are other ways to polyglot! 32 ● Features like reflection usually don’t work ● Wasm has no parallelism, so garbage collection is inline ● WebAssembly has no standard library, so binaries can get big. programming WebAssembly is trickier than normal code

That’s all, folks! Let’s recap 33

WebAssembly is a new way to modularize software safely and without RPC. 34 ● You can embed your code into other binaries and visa versa with WebAssembly ● Many projects use an SDK approach to enable success ● WebAssembly is evolving and will be different next year Here are some good talks: Wasmer Things: An Upside Down Guide To WebAssembly by Edoardo Vacchi CGO-less Foreign Function Interface With WebAssembly by Takeshi Yoneda