bytecodealliance · lum1n0us · Jan 9, 2025 · Dec 19, 2024 · Dec 23, 2024 · Dec 23, 2024
@@ -0,0 +1,33 @@
+# About security issues
+
+This document aims to explain the process of identifying a security issue and the steps for managing a security issue.
+
+## identifying a security issue
+
+It is commonly stated that a security issue is an issue that:
+
+- Exposes sensitive information to unauthorized parties.
+- Allows unauthorized modification of data or system state.
+- Affects the availability of the system or its services.
+- Permits unauthorized access to the system.
+- Enables users to perform actions they should not be able to.
+- Allows users to deny actions they have performed.
+
+Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand.
+
+Thus, we share most of the criteria for judging security issues with [the Bytecode Alliance](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#definition).
+
+> [!NOTE]
+> keep updating this document as the project evolves.
+
+## reporting a security issue
+
+Follow the [same guidelines](https://bytecodealliance.org/security) as other projects within the Bytecode Alliance.
+
+## managing a security issue
+
+Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability), _Report a security vulnerability_ if it qualifies.
+
+Upon receiving an issue, thoroughly review [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability) to assess and _Report a security vulnerability_ if the issue is indeed a security vulnerability.
+
+Once a security issue is confirmed, please refer to [the runbook](https://github.com/bytecodealliance/rfcs/blob/main/accepted/vulnerability-response-runbook.md) for the subsequent steps to take.
@@ -0,0 +1,82 @@
+# Wasm Proposals
+
+This document is intended to describe the current status of WebAssembly proposals and WASI proposals in WAMR.
+
+Only track proposals that are followed in the [WebAssembly proposals](https://github.com/WebAssembly/proposals) and [WASI proposals](https://github.com/WebAssembly/WASI/blob/main/Proposals.md).
+
+Normally, the document tracks proposals that are in phase 4. However, if a proposal in an earlier phase receives support, it will be added to the list below.
+
+The _status_ represents the configuration _product-mini/platforms/linux/CMakeLists.txt_. There may be minor differences between the top-level CMakeLists and platform-specific CMakeLists.
+
+Users can turn those features on or off by using compilation options. If a relevant compilation option is not available(`N/A`), it indicates that the feature is permanently enabled.
+
+## On-by-default Wasm Proposals
+
+| Proposal                              | >= Phase 4 | Compilation Option       |
+| ------------------------------------- | ---------- | ------------------------ |
+| Bulk memory operations                | Yes        | `WAMR_BUILD_BULK_MEMORY` |
+| Extended Constant Expressions         | Yes        | N/A                      |
+| Fixed-width SIMD[^1]                  | Yes        | `WAMR_BUILD_SIMD`        |
+| Multi-value                           | Yes        | N/A                      |
+| Non-trapping float-to-int conversions | Yes        | N/A                      |
+| Reference Types                       | Yes        | `WAMR_BUILD_REF_TYPES`   |
+| Sign-extension operators              | Yes        | N/A                      |
+| WebAssembly C and C++ API             | No         | N/A                      |
+
+[^1]: llvm-jit and aot only.
+
+## Off-by-default Wasm Proposals
+
+| Proposal                      | >= Phase 4 | Compilation Option         |
+| ----------------------------- | ---------- | -------------------------- |
+| Garbage collection            | Yes        | `WAMR_BUILD_GC`            |
+| Legacy Exception handling[^2] | No         | `WAMR_BUILD_EXCE_HANDLING` |
+| Memory64                      | Yes        | `WAMR_BUILD_MEMORY64`      |
+| Multiple memories[^3]         | Yes        | `WAMR_BUILD_MULTI_MEMORY`  |
+| Reference-Typed Strings       | No         | `WAMR_BUILD_STRINGREF`     |
+| Tail call                     | Yes        | `WAMR_BUILD_TAIL_CALL`     |
+| Thread[^4]                    | Yes        | `WAMR_BUILD_SHARED_MEMORY` |
+| Typed Function References     | Yes        | `WAMR_BUILD_GC`            |
+
+[^2]:
+    interpreter only. [a legacy version](https://github.com/WebAssembly/exception-handling/blob/main/proposals/exception-handling/legacy/Exceptions.md).
+    This proposal is currently also known as the "legacy proposal" and still
+    supported in the web, but can be deprecated in future and the use of
+    this proposal is discouraged.
+
+[^3]: interpreter only
+[^4]: `WAMR_BUILD_LIB_PTHREAD` can also be used to enable
+
+## Unimplemented Wasm Proposals
+
+| Proposal                                    | >= Phase 4 |
+| ------------------------------------------- | ---------- |
+| Branch Hinting                              | Yes        |
+| Custom Annotation Syntax in the Text Format | Yes        |
+| Exception handling[^5]                      | Yes        |
+| Import/Export of Mutable Globals            | Yes        |
+| JS String Builtins                          | Yes        |
+| Relaxed SIMD                                | Yes        |
+
+[^5]: [up-to-date version](https://github.com/WebAssembly/exception-handling/blob/main/proposals/exception-handling/Exceptions.md)
+
+## On-by-default WASI Proposals
+
+| Proposal | >= Phase 4 | Compilation Option |
+| -------- | ---------- | ------------------ |
+
+## Off-by-default WASI Proposals
+
+| Proposal                   | >= Phase 4 | Compilation Option            |
+| -------------------------- | ---------- | ----------------------------- |
+| Machine Learning (wasi-nn) | No         | `WAMR_BUILD_WASI_NN`          |
+| Threads                    | No         | `WAMR_BUILD_LIB_WASI_THREADS` |
+
+## Unimplemented WASI Proposals
+
+| Proposal | >= Phase 4 |
+| -------- | ---------- |
+
+## WAMR features
+
+WAMR offers a variety of customizable features to create a highly efficient runtime. For more details, please refer to [build_wamr](./build_wamr.md).