binary security of webassembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401...
TRANSCRIPT
Everything Old is New Again:
Binary Security of WebAssembly
Daniel Lehmann* Johannes Kinder‡ Michael Pradel*
* University of StuttgartGermany
‡ Bundeswehr University MunichGermany
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Source program
WebAssembly
• Fast, low-level, portable bytecode
• Support in browsers, Node.js, standalone VMs
• Compiled from C, C++, Rust, Go, ...
2
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
Client-side
WebAssembly binary
Server-side /
Standalone VMs
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Source program
Security?
3
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
WebAssembly binary
AAAAAAAAA...
• Virtual memory
• Stack canaries
• Control-Flow Integrity (CFI)
• ...
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...
Native
?><
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Source program
Security?
4
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
WebAssembly binary
AAAAAAAAA...
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...
Native
“At worst, a buggy or exploited Web-
Assembly program can make a mess of the data in its own memory.”
“Data execution prevention and stack
smashing protection are not neededby WebAssembly programs.”
github.com/WebAssembly/design
Haas et al., PLDI 2017
Contributions
I. In-depth security analysis of WebAssembly
• Linear memory
• Mitigations
II. Library of attack primitives
III. Proof-of-concept exploits on three platforms
IV. Measurements on real-world binaries
5
Contributions
I. In-depth security analysis of WebAssembly
• Linear memory
• Mitigations
II. Library of attack primitives
III. Proof-of-concept exploits on three platforms
IV. Measurements on real-world binaries
6
Attack Outline
7
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Buffer overflow on
unmanaged stack
Sensitive heap data
XSS in the browser
document.write(str)
Stack Canaries
Unmapped Pages
Mitigations?
Managed vs. Unmanaged Data
• Managed by VM: scalar variables, return addresses
• Unmanaged data in memory:
8
✓
Unmanaged
stack,
used by 33%
of all functions
malloc(...)
Heap allocations
char array[10]
struct Type complex
Arrays, structs
void function(int* out)
Address taken, e.g.,
out parameters
const char* string = "..."
Global data, e.g.,
string literals
(local $l i32) call $func
...
return address
stack canary
buf
...
return address
stack canary
buf
Buffer Overflow – Native
9
void vuln(char* src) {char buf[8];strcpy(buf, src);
} rsp
Overflow
Native stack,
e.g., x86-64Legacy code base
...
other
buf
...
other
buf
Buffer Overflow – WebAssembly
10
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Legacy code base
void caller() {char other[8];vuln(src);
}
$sp
Overflow
Unmanaged stack
Managed data
...
return address
Attack Outline
11
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Buffer overflow on
unmanaged stack
Sensitive heap data
XSS in the browser
document.write(str)
Stack Canaries
Unmapped Pages
Mitigations?
...Heap
Stack
Static
...Heap
Stack
Static
• Single 32-bit memory space
• Contains all unmanaged data
• No "holes", ptr ∈ [0, max_mem]
• No page protections
• No unmapped pages
• Always writable
• No ASLR, fully deterministic
Linear Memory
12
0
higher
addresses
Overflow
Attack Outline
13
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Buffer overflow on
unmanaged stack
Sensitive heap data
XSS in the browser
document.write(str)
Stack Canaries
Unmapped Pages
Mitigations?
XSS in Browser: Demo
14
std::string html = "<img…";pnm2png(input, output);html += output + ">";document.write(html);
void pnm2png(char* input) {// CVE-2018-14550
}
Heap"<img...>"
Stack
Static
C++ web application0
higher
addressesHeap
"<img...>"
StackAAAA...
Static
alert(...)Stack-to-heap
overflow
XSS in Browser: Demo
15
More Primitives...
16
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Stack-based
buffer overflow
Heap data
Stack canaries Unmapped pages Safe unlinking
Other stack frames Constant data
Wasm CFI
Heap metadata
corruption
Stack
overflow
Browser:
XSS
Node.js:
exec()WASI:
fwrite()Redirect calls
Stack → Heap Overwrite → XSS
17
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Safe unlinking
Other stack frames Constant data
Wasm CFI
Heap metadata
corruption
Stack
overflow
Browser:
XSS
Node.js:
exec()WASI:
fwrite()Redirect calls
Stack-based
buffer overflow
Heap data
Stack canaries Unmapped pages
Constant data
Stack-based
buffer overflow
Heap data
Stack canaries Unmapped pages
Stack
overflow
Browser:
XSS
WASI:
fwrite()
asd
Heap Overflow → Function Ptr → RCE
18
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Safe unlinking
Other stack frames
Heap metadata
corruption
Node.js:
exec()Redirect calls
Wasm CFI
Safe unlinking
Heap data Other stack frames
Heap metadata
corruption
Stack
overflow
Browser:
XSS
Node.js:
exec()Redirect calls
Wasm CFI
Stack → String Literal → File Write
19
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Stack-based
buffer overflow
Stack canaries Unmapped pages
Constant data
WASI:
fwrite()
const char* filename = "benign.txt"
20
Summary
21
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...<
WebAssembly binary securityManaged vs.
unmanaged data
Linear memory
Attack primitives and mitigations PoCs on three platforms
22
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ... <
WebAssembly binary securityManaged vs.
unmanaged data
Linear memory
Attack primitives and mitigations PoCs on three platforms
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...
small icons: icons8.com
[email protected]@[email protected]
Questions?