Comparing Security and Efficiency of WebAssembly and Linux Containers in Kubernetes Cloud Computing

TL;DR

This paper compares WebAssembly and Linux containers in Kubernetes, showing WebAssembly offers better security and comparable performance for untrusted code execution, with some startup overhead.

Contribution

It provides a comprehensive security and performance evaluation of WebAssembly versus Linux containers in cloud Kubernetes environments.

Findings

WebAssembly has a smaller attack surface than Linux containers.

WebAssembly introduces startup overhead but is efficient in long-running tasks.

WebAssembly enhances security and portability in containerization.

Abstract

This study investigates the potential of WebAssembly as a more secure and efficient alternative to Linux containers for executing untrusted code in cloud computing with Kubernetes. Specifically, it evaluates the security and performance implications of this shift. Security analyses demonstrate that both Linux containers and WebAssembly have attack surfaces when executing untrusted code, but WebAssembly presents a reduced attack surface due to an additional layer of isolation. The performance analysis further reveals that while WebAssembly introduces overhead, particularly in startup times, it could be negligible in long-running computations. However, WebAssembly enhances the core principle of containerization, offering better security through isolation and platform-agnostic portability compared to Linux containers. This research demonstrates that WebAssembly is not a silver bullet for all security concerns or performance requirements in a Kubernetes environment, but typical attacks are less likely to succeed and the performance loss is relatively small.