CWAMR: REIMAGINING A CAPABILITYBASED WEBASSEMBLY RUNTIME VIA CHERI-BASED COMPARTMENTALIZATION

WebAssembly (WASM) provides a language-neutral execution format widely deployed for cloud, edge, and embedded workloads. Its linear memory model and software-level sandboxing afford portability and a baseline of spatial isolation, yet they rely on dynamic bounds checks and page-based protections that incur overhead and remain susceptible to violations under speculative and out-of-order execution. Prior efforts to secure WASM for untrusted workloads frequently embed it within Trusted Execution Environments (TEEs) such as Intel SGX, introducing attestation, enclave management complexity, and exposure to shared-cache side channels, while still lacking hardware-enforced pointer provenance and bounds. This work presents cWAMR, the first WebAssembly runtime ported to leverage CHERI’s hardware-enforced capability model, integrating fine-grained bounds, permissions, and pointer provenance directly into the execution of WASM modules. We describe the adaptations made to the WAMR runtime, including a CHERI-sealed memory allocator, capability-restricted system interface (cWASI), and secure externref handling, enabling WASM workloads to execute within CHERI compartments without reliance on enclavewide isolation boundaries. Validation on the Arm Morello CHERI platform demonstrates correct execution of AoT-compiled and interpreted WASM modules under capability enforcement, preserving memory safety, compartmentalization, and integrity guarantees throughout runtime operation. Developed under the UK Digital Security by Design (DSbD) CHERI Morello program, this work establishes a practical path for integrating hardware capability systems with portable runtime environments. It lays the groundwork for future toolchain support, performance characterization, and broader deployment of capabilitybased security for untrusted code execution.