How does Web Assembly facilitate less hackable/more trustless in-browser code execution?

Question

i.e. for one, precompiled code is harder to read therefore making it more difficult to meaningfully alter browser code.

How is it more 'sandboxed' than JS, and does this make it less hackable?

"WebAssembly is specified to be run in a safe, sandboxed execution environment." - https://developer.mozilla.org/en-US/docs/WebAssembly/Concepts

Are there properties of the WASM VM memory format that make it more client-side-hack-resistant?

Anything else?

Answer 1

WebAssembly was never designed to be less hackable than JavaScript. WebAssembly modules run within the browser and can be inspected and debugged just like any other JavaScript application. The only additional protection they offer is that of obfuscation. It is a lower level language which makes it harder to decipher the code - although that is not a strong protection!

WebAssembly modules are sandboxed in that one module cannot access the memory, or interact with, another running module. They have their own isolated execution environment. JavaScript is also sandboxed in order to prevent code from one tab or page interacting with another - and more importantly preventing it from accessing the underlying host OS!

Webassembly uses linear memory, which is a contiguous block of memory, that is typical used to create a heap. It can be exported to the host environment, which means that the hosting JavaScript code can directly read and write to it as a byte array.

In summary, WebAssembly is not less hackable and has a different sandbox. If these are the trains you’re looking at this technology, perhaps it’s time for a rethink?