Four enforcement
layers, by default.
Standard branes get language-level (WASI 0.2 component imports), process-level (seccomp + namespace), and substrate-level (egress allowlist) enforcement. Frontier branes add the fourth: a Firecracker MicroVM with a hardware kernel boundary. Each layer is sufficient alone; together they make escape an N-layer composition problem.
WASI 0.2 capability imports
seccomp · linux namespaces
allowlist · network policy
Firecracker · KVM (Frontier)
The properties
that matter.
WASI 0.2 component model. Imports declared at link time. Component fails to instantiate if it references unauthorized capabilities.
seccomp filters via libseccomp. Linux namespaces (pid, net, mount, user). cgroups v2 for CPU/memory caps.
Default-deny egress. Allowlist enforced at the resolver and at the gateway. mTLS optional on every internal edge.
Firecracker 1.7. KVM virtualization. Minimal hardened guest kernel. ≤5MB jailer binary, statically linked.
virtio-net, virtio-blk, vsock. No PCI passthrough except explicitly granted GPU.
None. ephemeral or content-addressed only. snapshots are signed.
What you
can rely on.
Standard branes are sandboxed at all four levels except the kernel boundary
WASI 0.2 + seccomp + allowlist is sufficient for the vast majority of workloads. Cold start stays at 1.2ms because none of these add hot-path overhead.
Frontier adds the kernel boundary
For untrusted multi-tenant code, large memory, GPU, or anything with a real JIT, Frontier wraps the brane in a Firecracker MicroVM. 125ms boot is the price.
Every escape attempt is recorded
seccomp denials, link-time capability mismatches, allowlist breaks — all enter the hash-chained audit log. If anything tried to escape, the chain shows it.
Layers are independently sufficient
A bug in WASI doesn't reach you because seccomp catches it. A bug in seccomp doesn't reach you because the allowlist catches it. A bug in the allowlist doesn't reach you because Firecracker (Frontier) catches it.