I recently gave a talk at WasmCon 2023 about the measures we take to ensure security and correctness in Wasmtime and Cranelift. Very similar content to this blog post.

Here is the abstract:

WebAssembly programs are sandboxed and isolated from one another and from the host, so they can’t read or write external regions of memory, transfer control to arbitrary code in the process, or freely access the network and filesystem. This makes it safe to run untrusted WebAssembly programs: they cannot escape the sandbox to steal private data from elsewhere on your laptop or run a botnet on your servers. But these security properties only hold true if the WebAssembly runtime’s implementation is correct. This talk will explore the ways we are ensuring correctness in the Wasmtime WebAssembly runtime and in its compiler, Cranelift.

The slides are available here and the recording is up on YouTube, although unfortunately they missed the first 30 seconds or so: