{"id":20009858,"url":"https://github.com/plsyssec/rlbox_wamr_sandbox","last_synced_at":"2026-06-08T04:32:12.517Z","repository":{"id":144629481,"uuid":"351969659","full_name":"PLSysSec/rlbox_wamr_sandbox","owner":"PLSysSec","description":"RLBox integration to leverage WASM sandboxes compiled with WAMR","archived":false,"fork":false,"pushed_at":"2021-05-12T05:56:55.000Z","size":68,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-11-29T22:07:51.483Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PLSysSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-27T03:09:29.000Z","updated_at":"2022-10-14T12:06:09.000Z","dependencies_parsed_at":"2023-07-04T19:16:23.452Z","dependency_job_id":null,"html_url":"https://github.com/PLSysSec/rlbox_wamr_sandbox","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/PLSysSec/rlbox_wamr_sandbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Frlbox_wamr_sandbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Frlbox_wamr_sandbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Frlbox_wamr_sandbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Frlbox_wamr_sandbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PLSysSec","download_url":"https://codeload.github.com/PLSysSec/rlbox_wamr_sandbox/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Frlbox_wamr_sandbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34048681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T07:17:16.518Z","updated_at":"2026-06-08T04:32:12.500Z","avatar_url":"https://github.com/PLSysSec.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.com/PLSysSec/rlbox_wamr_sandbox.svg?branch=master)](https://travis-ci.com/PLSysSec/rlbox_wamr_sandbox)\n\n# RLBOX Wamr Sandbox Integration\n\n**This is a prototype. Not yet ready for production use.**\n\nIntegration with RLBox sandboxing API to leverage the sandboxing in WASM modules compiled with wamr compiler.\n\nFor details about the RLBox sandboxing APIs, see [here](https://github.com/PLSysSec/rlbox_api_cpp17).\n\nThis code has been tested on 64-bit versions of Ubuntu and Mac OSX.\n\n## Reporting security bugs\n\nIf you find a security bug, please do not create a public issue. Instead, file a security bug on bugzilla using the [following template link](https://bugzilla.mozilla.org/enter_bug.cgi?cc=tom%40mozilla.com\u0026cc=nfroyd%40mozilla.com\u0026cc=deian%40cs.ucsd.edu\u0026cc=shravanrn%40gmail.com\u0026component=Security%3A%20Process%20Sandboxing\u0026defined_groups=1\u0026groups=core-security\u0026product=Core\u0026bug_type=defect).\n\n## Building/Running the tests\n\nYou can build and run the tests using cmake with the following commands.\n\n```bash\ncmake -S . -B ./build\ncmake --build ./build --target all\ncmake --build ./build --target test\n```\n\nOn Arch Linux you'll need to install [ncurses5-compat-libs](https://aur.archlinux.org/packages/ncurses5-compat-libs/).\n\n## Using this library\n\nFirst, build the rlbox_wamr_sandbox repo with\n\n```bash\ncmake -S . -B ./build\ncmake --build ./build --target all\n```\n(Note: The parallel build is currently broken for first build. Incremental parallel build works fine.)\n\nThis wamr/wasm integration with RLBox depends on 3 external tools/libraries that are pulled in **automatically** to run the tests included in this repo.\n\n1. [A clang compiler with support for WASM/WASI backend, and the WASI sysroot](https://github.com/CraneStation/wasi-sdk). This allows you to compile C/C++ code to WASM modules usable outside of web browsers (in desktop applications).\n2. [The **modified** wamr compiler](https://github.com/PLSysSec/wamr_sandbox_compiler) that compiles the produced WASM/WASI module to a native binary.\n3.  [The RLBox APIs]((https://github.com/PLSysSec/rlbox_api_cpp17)) - A set of APIs that allow easy use of sandboxed libraries.\n\nIn the below steps, you can either use the automatically pulled in versions as described below, or download the tools yourself.\n\nIn order to sandbox a library of your choice.\n\n- Build the sources of your library along with the file `c_src/wamr_sandbox_wrapper.c` and passing the flag `--export-all` to the linker using the clang compiler described above. This will produce a wasm module. The required clang compiler is available in the path `build/_deps/wasiclang-src/opt/wasi-sdk/bin/clang`.\nFor instance, to edit an existing `make` based build system, you can run the commmand.\n\n```bash\nbuild/_deps/wasiclang-src/opt/wasi-sdk/bin/clang --sysroot build/_deps/wasiclang-src/opt/wasi-sdk/share/wasi-sysroot/ c_src/wamr_sandbox_wrapper.c -c -o c_src/wamr_sandbox_wrapper.o\n\nCC=build/_deps/wasiclang-src/opt/wasi-sdk/bin/clang                            \\\nCXX=build/_deps/wasiclang-src/opt/wasi-sdk/bin/clang++                         \\\nCFLAGS=\"--sysroot build/_deps/wasiclang-src/opt/wasi-sdk/share/wasi-sysroot/\"  \\\nLD=build/_deps/wasiclang-src/opt/wasi-sdk/bin/wasm-ld                          \\\nLDLIBS=wamr_sandbox_wrapper.o                                                 \\\nLDFLAGS=-Wl,--export-all                                                       \\\nmake\n```\n\n- Assuming the above command produced the wasm module `libFoo.wasm`, compile this to an ELF shared library using the modified wamrc compiler as shown below.\n\n```bash\nbuild/cargo/release/wamrc                                        \\\n    -o libWasmFoo.so                                             \\\n    libFoo.wasm\n```\n- Finally you can write sandboxed code, just as you would with any other RLBox sandbox, such as in the short example below. For more detailed examples, please refer to the tutorial in the [RLBox Repo]((https://github.com/PLSysSec/rlbox_api_cpp17)).\n\n\n```c++\n#include \"rlbox_wamr_sandbox.hpp\"\n#include \"rlbox.hpp\"\n\nint main()\n{\n    rlbox_sandbox\u003crlbox_wamr_sandbox\u003e sandbox;\n    sandbox.create_sandbox(\"libWasmFoo.so\");\n    // Invoke function bar with parameter 1\n    sandbox.invoke_sandbox_function(bar, 1);\n    sandbox.destroy_sandbox();\n    return 0;\n}\n```\n\n- To compile the above example, you must include the rlbox header files in `build/_deps/rlbox-src/code/include`, the integration header files in `include/` and the wamr_sandbox library in `build/cargo/{debug or release}/librlbox_wamr_sandbox.a` (make sure to use the whole archive and the rdynamic linker options). For instance, you can compile the above with\n\n```bash\ng++ -std=c++17 example.cpp -o example -I build/_deps/rlbox-src/code/include -I include -Wl,--whole-archive -l:build/cargo/debug/librlbox_wamr_sandbox.a -Wl,--no-whole-archive -Wl,-rdynamic\n```\n\n## Contributing Code\n\n1. To contribute code, it is recommended you install clang-tidy which the build\nuses if available. Install using:\n\n   On Ubuntu:\n```bash\nsudo apt install clang-tidy\n```\n   On Arch Linux:\n```bash\nsudo pacman -S clang-tidy\n```\n\n2. It is recommended you use the dev mode for building during development. This\ntreat warnings as errors, enables clang-tidy checks, runs address sanitizer etc.\nAlso, you probably want to use the debug build. To do this, adjust your build\nsettings as shown below\n\n```bash\ncmake -DCMAKE_BUILD_TYPE=Debug -DDEV=ON -S . -B ./build\n```\n\n3. After making changes to the source, add any new required tests and run all\ntests as described earlier.\n\n4. To make sure all code/docs are formatted with, we use clang-format.\nInstall using:\n\n   On Ubuntu:\n```bash\nsudo apt install clang-format\n```\n   On Arch Linux:\n```bash\nsudo pacman -S clang-format\n```\n\n5. Format code with the format-source target:\n```bash\ncmake --build ./build --target format-source\n```\n\n6. Submit the pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplsyssec%2Frlbox_wamr_sandbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fplsyssec%2Frlbox_wamr_sandbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplsyssec%2Frlbox_wamr_sandbox/lists"}