Is WebAssembly Really Safe? --Wasm VM Escape and RCE Vulnerabilities Have Been Found in New Way

Presented at Black Hat USA 2022, Aug. 10, 2022, 1:30 p.m. (40 minutes)

WebAssembly (Wasm) supports binary format which provides languages such as C/C++, C# and Rust with a compilation target on the web. It is a web standard with active participation from all major browser vendors (Chrome, Edge, Firefox, Safari). Also, Wasm runtime can be widely used for edge computing.<br><br>Previous research on Wasm security mostly focuses on exploitation at the compiler and linker level, but few people focus on Wasm VM escape. Therefore, we design a new fuzz framework based on Wasm standard to explore the runtime vulnerability itself. The framework can be compatible with all programs or projects containing Wasm design standards.<br><br>If there is an escape vulnerability in the browser kernel or any project that uses Wasm runtime, when an attacker deploys a page or service containing a malicious Wasm binary, he can control the access device or the server that provides the runtime service.<br>We find that these escape vulnerabilities are usually caused by inadequate operand boundary checking of bytecode interpreter or stack overflow of WASI API. For example, in wasm3 and WasmEdge projects, we use the above two methods to achieve VM escape. Meanwhile, there are many exploitable vulnerabilities in the parsing of file data structure, which are usually overflow vulnerabilities caused by inadequate inspection of some input fields. Normally, these vulnerabilities will lead to denial of service attacks. In the process of fuzzing, we find that almost all wasm runtime projects can exploit such vulnerabilities.<br><br>Finally, we will show the off-by-one vulnerability of a PC stack of WasmEdge that we discovered, which successfully conducts RCE on the host. This process is very ingenious and we will explain it in detail at the demo time.

Presenters:

• Lei Li - Director, Cyberpeace Tech Co., Ltd.
  Lei Li is the technical supervisor for this topic, with more than 20 years of experience in information security. Lei is the Director of Cyberpeace Tech Co., Ltd's Research Lab.
• Mengchen Yu - Information Security Manager, Cyberpeace Tech Co., Ltd.
  "0dyssey" is one of the participants, a slide maker and white paper writer for this topic and XCTF community speakers' advisor.
• Zhichen Wang - Researcher, Cyberpeace Tech Co., Ltd.
  "Zhichen" is a binary researcher in Cyberpeace Tech Co., Ltd., fuzzing every day. Zhichen is good at Rust programming and is an afl++ contributer.
• Zhao Hai - Binary Security Researcher, Cyberpeace Tech Co., Ltd.
  Zhao Hai (ha1vk) is the captain of StarUnion CTF team, binary researcher in Cyberpeace Tech Co., Ltd. He is the major contributor to this topic and developer of WASM runtime RCE exploit.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#is-webassembly-really-safe---wasm-vm-escape-and-rce-vulnerabilities-have-been-found-in-new-way-27237

Similar Presentations:

• FiestaCon 2023 / Offensive WASM
• Shakacon X (2018) / Web (Dis)Assembly – in-depth peek at the VM running inside your Web Browser
• BSidesSF 2019 / Two-Faces of WASM Security