A Journey Into Fuzzing WebAssembly Virtual Machines

Presented at Black Hat USA 2022, Aug. 10, 2022, 4:20 p.m. (40 minutes).

Since the MVP release in 2017, WebAssembly evolve gradually, bringing new adepts and new VM implementations over time. It's now possible to run WebAssembly modules over every modern browser, in some blockchain, or using a standalone VM.

In the same way that multiple JavaScript engines are available, there is now a bunch of different WebAssembly VM with their own runtime engines. Their implementation can be totally different, starting from simple bytecode interpretation to complex JIT and AOT compilation. This diversity also exists in the programming language chosen for VM development, impacting directly the internal security of each part of the virtual machine.

During this talk, we will introduce what is WebAssembly, dive deeper into WebAssembly VM architecture, identify the attack surface and explain our fuzzing strategy to target each different VM component, from module parsing to runtime execution engine. Also, since we are not targeting only one implementation, we will maximize our success rate by using different fuzzing frameworks and techniques such as coverage-guided, structural, and differential fuzzing.

This journey leads us to the discovery of more than 50 bugs/vulnerabilities across a dozen of C/C++/Rust projects. We will conclude with a global result overview with a focus on some concrete impactful vulnerabilities.


Presenters:

  • Patrick Ventuzelo - CEO, FuzzingLabs
    Patrick Ventuzelo (@Pat_Ventuzelo) is a French senior security researcher specializing in fuzzing, vulnerability research, and reverse engineering. He is the founder of Fuzzinglabs and spends his days doing research and giving training around Rust, Go, WebAssembly, Blockchain, and Browser security. Over time, he found hundreds of bugs and presents his work at various security conferences around the globe, including OffensiveCon, REcon, RingZer0, ToorCon, hack.lu, NorthSec, FIRST, Microsoft DCC, etc.

Links:

Similar Presentations: