No Better Sandbox: Wasm and the Future of AI Agent Runtimes

Dan Phillips -

AI agents need real sandboxes, not best-effort isolation. This talk shows why WebAssembly eliminates entire classes of exploits by construction, and how a Wasm-based environment enables safe, universal agent execution across browsers, servers, and beyond.

As AI agents gain the ability to execute code, access tools, and interact with external systems, the runtime they operate in becomes a primary security boundary. This talk argues that WebAssembly represents the strongest sandbox available today for agent execution and explores what that actually means in practice.

We’ll examine the specific classes of exploits that simply are not possible in a Wasm-based agent runtime: arbitrary memory reads and writes, syscall abuse, privilege escalation, kernel escapes, shared-library attacks, ambient filesystem access, and uncontrolled process spawning. By constraining execution to explicit module sets, capability-scoped imports and exports, a virtual filesystem, and WebAssembly’s strict Harvard architecture, entire categories of historical sandbox failures are structurally eliminated rather than mitigated.

Using Boxer as a concrete implementation, we’ll show how these constraints translate into a practical, production-grade agent runtime, specifically one that is deterministic, inspectable, and hostile by default. We’ll also highlight a key but often overlooked advantage: universality. Unlike agent sandboxes tied to specific clouds or server environments, a Wasm-based runtime can execute the same agent logic in browsers, servers, bare metal, and embedded systems without changing the trust model.

Finally, we’ll discuss why this model is not just well-suited for MCP tooling, but represents a general-purpose foundation for the next generation of AI agent runtimes, where safety is enforced by construction, not policy.