Secure and Efficient Wasm Compilation of Proc Macros in Rust

The article discusses a pre-RFC proposal for sandboxed, deterministic, reproducible, and efficient WebAssembly (Wasm) compilation of procedural macros in Rust. Currently, procedural macros in Rust expose users to potential security risks, as they can execute arbitrary code. To address this, the proposal suggests a precompilation process where the crate is compiled locally and then securely verified by a service managed by crates.io. This service ensures that the compiled Wasm artifact matches the crate's source code before making it available to users. Users can opt-in to running procedural macros within a Wasm sandbox by installing a suitable Wasm runtime as a Rustup component. The sandboxing approach reduces the audit burden and improves determinism in build systems, as sandboxed macros cannot access external resources or rely on OS randomness. Additionally, the proposal highlights the importance of isolation for large-scale build systems and aims to improve compile times for procedural macros. This pre-RFC proposal presents a promising solution to enhance the security, determinism, and efficiency of procedural macros in Rust.