Two-Faces of WASM Security

Presented at BSidesSF 2019, March 4, 2019, 2:50 p.m. (30 minutes)

JavaScript is the most popular language of the web. It is one of the fastest dynamic languages around; even though it is fast it still cannot compete with raw C/C++. WebAssembly or WASM, an evolution of asm.js, is a low level, portable binary format that aims to speed up apps on the order of 20x compared to JavaScript. Developers can compile their C/C++/Rust code to wasm modules which can be directly used in JavaScript code. Currently, WA is supported across all major browsers. The security model of WASM is based on two concepts: protect users from malicious modules and provide developers primitives to build secure modules. For users, wasm modules in a browser are designed to be executed in a safe and sandboxed environment. And for developers primitives like type safety, control flow integrity, execution traps, and protected stacks ensure that the modules are safe against direction code injection attacks. We have seen an increased interest in using WebAssembly for malicious purposes. Initially the use of wasm was seen in keyloggers, and tech support scams. Recently, we have seen increased use of web assembly by coin-mining scripts. These mining scripts have become extremely sophisticated and hard to detect. The sophistication of web assembly has caused havoc to web authors as well, the number of vulnerable modules has been constantly increasing. In this talk, we present two sides of wasm 1) Increased sophisitication of wasm modules for malicious intent 2) Exploitation of vulnerable modules presenting an increased attack surface for web-authors

Presenters:

• Pranjal Jumde
  Pranjal is a Senior Security Engineer at Brave Inc. His primary research interest is Browser Security and Exploitation. Over the past 5 years in the security industry, he has worked on different aspects of security Reverse Engineering malware, Security Automation, Developing security features, Web Application Security, and DevSecOps.
• Kaizhe Huang - Sysdig
  Kaizhe Huang is a security researcher in Sysdig where he researches about defending Kubernetes and containers from attacks ranging from web to kernel. Kaizhe is one of the maintainers of Falco, an incubation level CNCF project and the original author of multiple open source projects like kube-psp-advisor. Before joining Sysdig, as an early employee in Stackrox, Kaizhe helped build the detection data pipeline, conducted security research and innovated detection based machine learning. Previously, as a senior security engineer at Oracle, he helped build security products: Database Vault, Database Privilege Analyzer and Database Assessment Tool. Kaizhe holds M.S. degrees in Information Security from Carnegie Mellon University.

Links:

• https://bsidessf2019.sched.com/event/Jdep/two-faces-of-wasm-security

Similar Presentations:

• Shakacon X (2018) / Web (Dis)Assembly – in-depth peek at the VM running inside your Web Browser
• Black Hat USA 2018 / WebAssembly: A New World of Native Exploits on the Browser
• Black Hat USA 2022 / Is WebAssembly Really Safe? --Wasm VM Escape and RCE Vulnerabilities Have Been Found in New Way