AI + Wasm: Sandboxing codegen, fixing Wasmtime fast, & new research | Ep29 | WebAssembly Unleashed

AI is making code generation feel effortless, but it’s also flooding systems with more untrusted, machine-written logic than most teams are prepared to safely run. In this episode of WebAssembly Unleashed, Joel Moses and Oscar Spencer zoom out on what that shift means for WebAssembly, security, and the future of software development, with special guest Ben Titzer, Director of the WebAssembly Research Institute at Carnegie Mellon and one of the principal creators of the WebAssembly standard. They start with a timely catalyst: a Bytecode Alliance Wasmtime security sprint where engineers used new AI models to stress-test the runtime and patch 11 vulnerabilities in just three weeks. From there, the conversation tackles the bigger question: if AI dissolves language boundaries for developers, does language still matter at runtime? Ben argues that it does, and that WebAssembly’s deterministic execution, portability, and lightweight sandboxing become even more valuable when code is generated on demand and needs to run safely across machines. The episode digs into how researchers are using WebAssembly to sandbox AI-generated code, why containers alone can be too heavyweight or too permissive, and how capability-based security is still underused as teams connect agents to tools and APIs. Ben also shares where AI is useful today, from generating tests to surfacing corner cases, and where it still struggles, especially with architecture and abstraction. The discussion closes with a look at active research in the Wasm ecosystem, including instrumentation languages, component interposition, dynamic language performance, kernel interfaces, and deterministic record-and-replay, plus an honest take on how AI is reshaping how students learn and how educators assess real understanding. Chapters: 00:00 Welcome to WebAssembly Unleashed 00:48 Wasmtime “AI sprint”: 11 new vulns found and patched fast 02:28 AI codegen shifts the question: does language still matter? 03:43 Does AI's impact on language boundaries make Wasm less relevant or more? 04:44 Sandboxing AI-generated code (near-native speed, safer) 05:33 Containers vs Wasm: Second-layer sandboxing + lower latency 06:37 Microsecond startup: Wasm as the “VM” for tool-running agents 07:53 MCP/tools need sandboxing too (capability-based security) 09:31 AI use in WebAssembly research: Patches, test generation, and gray-box bug finding 11:18 AI code quality in terms of research vs production 15:29 CMU research: Whamm, splicer instrumentation, replayable debugging, & more 21:04 What gaps has AI exposed in WebAssembly? 23:46 AI's impact on human engagement and creativity with computing 26:02 How is AI affecting student's learning and critical thinking? Read the Wasmtime blog: https://bytecodealliance.org/articles... For more from F5's Office of the CTO visit the following sites: Blogs - https://www.f5.com/company/octo Reports - https://www.f5.com/services/resources... Meet Your Hosts: Joel Moses |   / joelmoses   | https://community.f5.com/users/joel_m... Oscar Spencer |   / oscar_spen   |   / oscarspen   Matthew Yacobucci |   / matthew-yacobucci-323b4b2   ⬇️⬇️⬇️ JOIN THE COMMUNITY! ⬇️⬇️⬇️ DevCentral is an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together. Find all our platform links ⬇️ and follow our Community Evangelists! 👋 ➡️ DEVCENTRAL: https://community.f5.com ➡️ YOUTUBE:    / devcentral   ➡️ LINKEDIN:   / f5-devcentral   ➡️ TWITTER:   / devcentral   Your Community Evangelists: 👋 Jason Rahm:   / jrahm   |   / jasonrahm   👋 Buu Lam:   / buulam   |   / buulam   👋 Aubrey King:   / aubreyking   |   / aubreykingf5   👋 Chase Abbott:   / chaseabbott1