Everything Old is New Again:

Binary Security of WebAssembly

Daniel Lehmann* Johannes Kinder‡ Michael Pradel*

* University of StuttgartGermany

‡ Bundeswehr University MunichGermany

void vuln(char* src) {char buf[8];strcpy(buf, src);

}

Source program

WebAssembly

• Fast, low-level, portable bytecode

• Support in browsers, Node.js, standalone VMs

• Compiled from C, C++, Rust, Go, ...

2

6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...

Client-side

WebAssembly binary

Server-side /

Standalone VMs

void vuln(char* src) {char buf[8];strcpy(buf, src);

}

Source program

Security?

3

6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...

WebAssembly binary

AAAAAAAAA...

• Virtual memory

• Stack canaries

• Control-Flow Integrity (CFI)

• ...

457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...

Native

?><

void vuln(char* src) {char buf[8];strcpy(buf, src);

}

Source program

Security?

4

6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...

WebAssembly binary

AAAAAAAAA...

457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...

Native

“At worst, a buggy or exploited Web-

Assembly program can make a mess of the data in its own memory.”

“Data execution prevention and stack

smashing protection are not neededby WebAssembly programs.”

github.com/WebAssembly/design

Haas et al., PLDI 2017

Contributions

I. In-depth security analysis of WebAssembly

• Linear memory

• Mitigations

II. Library of attack primitives

III. Proof-of-concept exploits on three platforms

IV. Measurements on real-world binaries

5

Contributions

I. In-depth security analysis of WebAssembly

• Linear memory

• Mitigations

II. Library of attack primitives

III. Proof-of-concept exploits on three platforms

IV. Measurements on real-world binaries

6

Attack Outline

7

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Buffer overflow on

unmanaged stack

Sensitive heap data

XSS in the browser

document.write(str)

Stack Canaries

Unmapped Pages

Mitigations?

Managed vs. Unmanaged Data

• Managed by VM: scalar variables, return addresses

• Unmanaged data in memory:

8

✓

Unmanaged

stack,

used by 33%

of all functions

malloc(...)

Heap allocations

char array[10]

struct Type complex

Arrays, structs

void function(int* out)

Address taken, e.g.,

out parameters

const char* string = "..."

Global data, e.g.,

string literals

(local $l i32) call $func

...

return address

stack canary

buf

...

return address

stack canary

buf

Buffer Overflow – Native

9

void vuln(char* src) {char buf[8];strcpy(buf, src);

} rsp

Overflow

Native stack,

e.g., x86-64Legacy code base

...

other

buf

...

other

buf

Buffer Overflow – WebAssembly

10

void vuln(char* src) {char buf[8];strcpy(buf, src);

}

Legacy code base

void caller() {char other[8];vuln(src);

}

$sp

Overflow

Unmanaged stack

Managed data

...

return address

Attack Outline

11

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Buffer overflow on

unmanaged stack

Sensitive heap data

XSS in the browser

document.write(str)

Stack Canaries

Unmapped Pages

Mitigations?

...Heap

Stack

Static

...Heap

Stack

Static

• Single 32-bit memory space

• Contains all unmanaged data

• No "holes", ptr ∈ [0, max_mem]

• No page protections

• No unmapped pages

• Always writable

• No ASLR, fully deterministic

Linear Memory

12

0

higher

addresses

Overflow

Attack Outline

13

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Buffer overflow on

unmanaged stack

Sensitive heap data

XSS in the browser

document.write(str)

Stack Canaries

Unmapped Pages

Mitigations?

XSS in Browser: Demo

14

std::string html = "<img…";pnm2png(input, output);html += output + ">";document.write(html);

void pnm2png(char* input) {// CVE-2018-14550

}

Heap"<img...>"

Stack

Static

C++ web application0

higher

addressesHeap

"<img...>"

StackAAAA...

Static

alert(...)Stack-to-heap

overflow

XSS in Browser: Demo

15

More Primitives...

16

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Stack-based

buffer overflow

Heap data

Stack canaries Unmapped pages Safe unlinking

Other stack frames Constant data

Wasm CFI

Heap metadata

corruption

Stack

overflow

Browser:

XSS

Node.js:

exec()WASI:

fwrite()Redirect calls

Stack → Heap Overwrite → XSS

17

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Safe unlinking

Other stack frames Constant data

Wasm CFI

Heap metadata

corruption

Stack

overflow

Browser:

XSS

Node.js:

exec()WASI:

fwrite()Redirect calls

Stack-based

buffer overflow

Heap data

Stack canaries Unmapped pages

Constant data

Stack-based

buffer overflow

Heap data

Stack canaries Unmapped pages

Stack

overflow

Browser:

XSS

WASI:

fwrite()

asd

Heap Overflow → Function Ptr → RCE

18

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Safe unlinking

Other stack frames

Heap metadata

corruption

Node.js:

exec()Redirect calls

Wasm CFI

Safe unlinking

Heap data Other stack frames

Heap metadata

corruption

Stack

overflow

Browser:

XSS

Node.js:

exec()Redirect calls

Wasm CFI

Stack → String Literal → File Write

19

1. Write Primitive

2. Overwrite Data

3. Malicious Action

Stack-based

buffer overflow

Stack canaries Unmapped pages

Constant data

WASI:

fwrite()

const char* filename = "benign.txt"

20

Summary

21

6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...

457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...<

WebAssembly binary securityManaged vs.

unmanaged data

Linear memory

Attack primitives and mitigations PoCs on three platforms

22

6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ... <

WebAssembly binary securityManaged vs.

unmanaged data

Linear memory

Attack primitives and mitigations PoCs on three platforms

457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...

small icons: icons8.com

mail@dlehmann.eumichael@binaervarianz.dejohannes.kinder@unibw.de

Questions?