WebAssembly (or WASM) is a new W3C web format that defines a whole environment to allow code execution in modern web browsers with close to native performance. Today, this format is supported by all major web browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari, and on most platforms (PC/Mac, phones, tablets). WebAssembly allows users to play 3D games, have video/audio chats and perform computations in their browser with a higher level of performance than JavaScript could ever provide. To achieve this, WASM code is first compiled from a high-level language (for example, C or Rust) into WASM bytecode, which is then be loaded and validated by the web browser. While parsing the bytecode, web browsers will additionally JIT-compile the WebAssembly bytecode into native code, thereby approaching native speeds.
Although designed to coexist with the JS engine, the WASM engine operates in its own dedicated “portable and sandboxed” virtual machine inside the browser. In this presentation, we will first show how this VM works by looking at the specification, the binary encoding, and the memory layout. We will then explore to what extent WASM affects the traditional attack surface of web browsers by analyzing how it is implementations in some major web browsers. In particular, we will cover some weak spots that past vulnerabilities have leveraged to achieve code execution. Finally, we will cover the future of WebAssembly as it aims to evolve as a W3C standardized specification and see how upcoming features may make room for more security vulnerabilities.