Speaker
Description
The ability to execute arbitrary R code securely is becoming increasingly critical, e.g., for use cases ranging from AI agents executing LLM-generated code to peer-to-peer (P2P) compute clusters. Sandboxing techniques such as virtual machines and Linux containers are commonly used to isolate the host machine from untrusted code. Because these technologies can be complicated to set up, and often require administrative rights, they are less accessible to developers than desired. Originally designed for in-browser applications, WebAssembly has recently emerged as an alternative, cross-platform sandboxing environment on the local machine.
This talk introduces the rw package, which provides functions for evaluating untrusted R expressions in a locally running WebAssembly-and-Node-based webR environment. The evaluation is, by default, configured such that the R code does not have access to the filesystem, network, process tree, or memory. There are options for relaxing the isolation, e.g., giving the R sandbox access to select data directories on the host system and access to persistent R package libraries.
One of the driving factors for the rw project is to provide a tool for exploring how well the host system is isolated from the R code running in webR. What backdoors are available for R code to break out of the webR WebAssembly environment? If it is possible to break out of webR, how much of the host system can we access, if at all? If there are backdoors, can they be closed by updating the webR codebase? Or, do we need a full rewrite in order to use webR to secure the evaluation of untrusted R code? I am inviting the R community to discuss and investigate this area further.
If we can show that sandboxing via webR provides sufficient isolation, then it provides an alternative to traditional sandboxing techniques for evaluating untrusted R code. One immediate application for rw is in peer-to-peer (P2P) distributed computing, where workers can evaluate tasks from peers within a protected sandbox. An implementation of this concept is available in the future.p2p package, part of the Futureverse parallel ecosystem. Sandboxing via rw can also be useful for agentic AI development, where the agents evaluate potentially unsafe R code generated by a large language model (LLM). If it turns out that the isolation is insufficient for untrusted code, rw still provides a valuable tool for R developers to implement and test that their packages also work in webR running in the web browser.
Additional Material or Paper
The slides will be made available at https://www.futureverse.org/.
If you used AI tools or services to support the preparation of this submission, please state the name and reason for using each of them.
Gemini for spell and grammar corrections (only).
| Keywords: Please list up to 5 keywords to help us find the right session for your contribution. | WebAssembly, webR, untrusted code, sandboxing, isolation |
|---|---|
| Virtual Option | This submission is for onsite presentation only |
| Material License | CC-BY 4.0 |
| Video Recording | Video sharing is fine |
| The author(s) agree(s) to take responsibility and be accountable for the contents of the submission and is/are authorized to present it. | Confirm |
| Interested in serving as reviewer? | henrik.bengtsson@gmail.com |