fledge-plugin-canary-wasm
WASM (sandboxed) security canary โ proves the Wasmtime sandbox blocks every attack that the native canary exposes.
Companion: fledge-plugin-canary โ the unsandboxed native counterpart that proves the attacks work in the first place.
WASM sandbox verification plugin for fledge. Written in Rust, compiled to wasm32-wasip1, and runs inside fledge's Wasmtime sandbox โ the new runtime introduced in fledge 1.1.0. Attempts every attack from the native canary and verifies each one is blocked.
How It Works
A Rust program compiled to wasm32-wasip1 that runs inside fledge's Wasmtime sandbox with filesystem=none, network=false, exec=false. It attempts every attack from the native canary's baseline:
- Environment variables โ GITHUB_TOKEN, AWS keys, HOME, PATH, etc.
- Filesystem reads โ credential files, /etc/hosts, path traversal, directory listing
- Filesystem writes โ /tmp, working directory, .git/hooks injection
- Network โ TCP connections to external hosts
- Process spawning โ echo, curl, cat, crontab, pbpaste, ps, whoami
Every test should report BLOCKED. Any LEAKED result indicates a sandbox escape.
Native vs WASM Comparison
| Attack | Native (bash) | WASM (sandbox) |
|---|---|---|
| Read ~/.ssh/id_ed25519 | LEAKED | BLOCKED |
| Read ~/.aws/credentials | LEAKED | BLOCKED |
| Read ~/.config/fledge/config.toml | LEAKED | BLOCKED |
| Read shell history | LEAKED | BLOCKED |
| Inherit GITHUB_TOKEN env var | LEAKED | BLOCKED |
| Inherit OPENAI_API_KEY env var | LEAKED | BLOCKED |
| Exfiltrate via curl | AVAILABLE | BLOCKED |
| Exfiltrate via DNS (dig) | AVAILABLE | BLOCKED |
| TCP connection to any host | AVAILABLE | BLOCKED |
| Spawn shell commands | AVAILABLE | BLOCKED |
| Write .git/hooks (backdoor) | WRITABLE | BLOCKED |
| Write shell RC files | WRITABLE | BLOCKED |
| Install LaunchAgent daemon | WRITABLE | BLOCKED |
| Read clipboard (pbpaste) | AVAILABLE | BLOCKED |
| Schedule crontab | AVAILABLE | BLOCKED |
| List processes (ps aux) | AVAILABLE | BLOCKED |
Install
fledge plugins install CorvidLabs/fledge-plugin-canary-wasm
Requires fledge 1.1.0+ (WASM runtime support).
Usage
fledge canary-wasm
Build from Source
rustup target add wasm32-wasip1
cargo build --target wasm32-wasip1 --release
# Binary: target/wasm32-wasip1/release/canary-wasm.wasm
How This Differs from the Native Canary
| Native (canary) | WASM (this repo) | |
|---|---|---|
| Language | Bash | Rust |
| Runtime | Unsandboxed subprocess | Wasmtime WASM sandbox |
| fledge version | Any | 1.1.0+ |
| Purpose | Prove attacks work | Prove sandbox blocks them |
| Expected result | LEAKED / AVAILABLE / WRITABLE | BLOCKED on every test |
| What it validates | The attack surface exists | The sandbox closes it |
Together, the two canaries provide end-to-end validation: the native canary proves the threat is real, and the WASM canary proves the mitigation works.
Why This Exists
The native canary proves the attacks work. The WASM canary proves the sandbox stops them. Together they validate fledge's security model end-to-end.
Run this after any change to:
- WASM runtime or WASI configuration
- Plugin capability enforcement
- Sandbox resource limits (fuel, epoch, memory)
Supported Languages
Any language that compiles to wasm32-wasip1 can be used to write fledge WASM plugins:
- Rust โ first-class support, what this canary uses
- C/C++ โ via wasi-sdk or Emscripten
- TinyGo โ Go's WASM-targeting compiler
- AssemblyScript โ TypeScript-like, designed for WASM
- Zig โ native WASM target support
The guest must import fledge::send, fledge::recv, and fledge::exit from the "fledge" WASM import module.
License
MIT