Skip to content
mik

Security Model

mik uses a layered capability model to isolate WASM modules from infrastructure.

Capability Layers

Section titled “Capability Layers”
LayerNetwork AccessPurpose
ScriptsNone - host.call() onlyOrchestration
HandlersHTTP to sidecars onlyBusiness logic
SidecarsNative (full access)Infrastructure adapters

Allowed Capabilities

Section titled “Allowed Capabilities”

These capabilities are granted to WASM handlers:

CapabilityWASI InterfaceRationale
Wall Clockwasi:clocks/wall-clockTimestamps, TTL calculations
Monotonic Clockwasi:clocks/monotonic-clockPerformance timing
Randomwasi:random/randomUUIDs, cryptographic operations
Logging (stderr)wasi:cli/stderrObservability
Environmentwasi:cli/environmentConfiguration injection
HTTP Clientwasi:http/outgoing-handlerSidecar communication

Denied Capabilities

Section titled “Denied Capabilities”

These are never granted:

CapabilityReason
Filesystem accessBreaks isolation, data exfiltration risk
Raw socketsBypasses HTTP policy enforcement
Process spawningSandbox escape
Direct database driversCredential exposure

Runtime Protections

Section titled “Runtime Protections”
ThreatMitigation
Path traversalInput sanitization, path validation
DoS via large bodiesConfigurable body size limits
DoS via slow handlersExecution timeouts, circuit breaker
Resource exhaustionRate limiting (global + per-module)
Unbounded allocationsLRU cache with byte limits
Handler failuresCircuit breaker with half-open recovery

Configuration

Section titled “Configuration”
[server]
# Limit request body size
max_body_size_mb = 10


# Limit execution time
execution_timeout_secs = 30


# Rate limiting
max_concurrent_requests = 1000   # Global limit
max_per_module_requests = 10     # Per-handler limit


# Restrict outgoing HTTP
http_allowed = ["*.internal.example.com"]

HTTP Allow List

Section titled “HTTP Allow List”

Control which hosts handlers can reach:

# Disable all outgoing HTTP (most restrictive)
http_allowed = []


# Allow specific hosts
http_allowed = ["api.example.com", "db-sidecar"]


# Wildcard subdomains
http_allowed = ["*.internal.example.com"]


# Allow all (least restrictive)
http_allowed = ["*"]

Why This Model?

Section titled “Why This Model?”

Scripts Can’t Make Network Requests

Section titled “Scripts Can’t Make Network Requests”

Scripts can only call handlers via host.call(). This prevents:

  • Scripts from bypassing handler logic
  • Direct database access from orchestration layer
  • Credential leakage through script injection

Handlers Only See HTTP

Section titled “Handlers Only See HTTP”

Handlers use wasi:http/outgoing-handler to call sidecars. Benefits:

  • No database drivers in WASM (smaller binaries)
  • Credentials stay in sidecars
  • All requests are auditable
  • Policy enforcement at sidecar layer

Sidecars Hold Credentials

Section titled “Sidecars Hold Credentials”

Sidecars are native processes with full access. They:

  • Own database connection pools
  • Enforce authentication and rate limits
  • Translate HTTP to infrastructure protocols
  • Can implement caching and retries

Portability

Section titled “Portability”

This security model preserves handler portability. The same .wasm file works on any WASI Preview 2 runtime—handlers don’t know they’re running on mik, they just make HTTP requests.