Code compiled to WebAssembly may lack standard security defenses

guest · Nov 5, 2021

FYI: Code compiled to WebAssembly may lack standard security defenses
November 4, 2021
https://www.theregister.com/2021/11/04/webassembly_stack_canaries/

WebAssembly has been promoted for its security benefits, though researchers in Belgium and New Zealand contend applications built in this binary format lack important protections.

WebAssembly, or WASM, is a bytecode language produced by compiling source code written in languages like C/C++ and Rust. These output files are designed to run in both web and non-web environments and to do so in a sandboxed environment that's safely isolated from the host runtime.
Click to expand...

WebAssembly's documentation describes the format's security goals, and boasts of its memory safety protection.

"[T]he presence of control-flow integrity and protected call stacks prevents direct code injection attacks," the WASM website explains. "Thus, common mitigations such as data execution prevention (DEP) and stack smashing protection (SSP) are not needed by WebAssembly programs."
Click to expand...

Not so, say Quentin Stievenart and Coen De Roover, from Vrije Universiteit Brussel in Belgium, along with Mohammad Ghafari, from the University of Auckland in New Zealand.

In a paper titled, The Security Risk of Lacking Compiler Protection in WebAssembly, distributed via ArXiv, the technical trio say that when a C program is compiled to WASM, it may lack anti-exploit defenses that the programmer takes for granted on native architectures.
Click to expand...

And these issues are not necessarily a deal-breaker: WASM bytecode still exists in a sandbox, and has further defenses against control-flow hijacking techniques such as return-oriented programming.

But as the researchers observe, WASM's documentation insists that stack-smashing protection isn't necessary for WASM code.
Click to expand...

arXiv: The Security Risk of Lacking Compiler Protection in WebAssembly
(PDF): https://arxiv.org/pdf/2111.01421

WebAssembly is increasingly used as the compilation target for cross-platform applications. In this paper, we investigate whether one can rely on the security measures enforced by existing C compilers when compiling C programs to WebAssembly. We compiled 4,469 C programs with known buffer overflow vulnerabilities to x86 code and to WebAssembly, and observed the outcome of the execution of the generated code to differ for 1,088 programs.

Through manual inspection, we identified that the root cause for these is the lack of security measures such as stack canaries in the generated WebAssembly: while x86 code crashes upon a stack-based buffer overflow, the corresponding WebAssembly continues to be executed.
Click to expand...

We conclude that compiling an existing C program to WebAssembly without additional precautions may hamper its security, and we encourage more research in this direction.
Click to expand...

Log in or Sign up

Code compiled to WebAssembly may lack standard security defenses

guest Guest

Log in or Sign up

Code compiled to WebAssembly may lack standard security defenses

guest Guest

Useful Searches