WebAssembly: A New World of Native Exploits on the Browser

Black Hat USA 2018

Presented by: Justin Engler, Tyler Lukasiewicz
Date: Thursday August 09, 2018
Time: 12:10 - 13:00
Location: Islander FG

WebAssembly (WASM) is a new technology being developed by the major browser vendors through the W3C. A direct descendent of NaCl and Asm.js, the idea is to allow web developers to run native (e.g. C/C++) code in a web page at near-native performance. WASM is already widely supported in the latest versions of all major browsers, and new use case examples are constantly popping up in the wild. Notable examples include 3D model rendering, interface design, visual data processing, and video games. Beyond providing significant performance benefits to developers, WebAssembly is also touted as being exceptionally secure. Developers claim that buffer overflows will be an impossibility, as any attempted access to out-of-bounds memory will be caught by a Javascript error. Their documentation claims that control flow integrity is enforced implicitly and that "common mitigations such as data execution prevention (DEP) and stack smashing protection (SSP) are not needed by WebAssembly programs." However, the documentation also outlines several possible vectors of attacks, including race conditions, code reuse attacks, and side channel attacks.

The goal of this talk is to provide a basic introduction to WebAssembly and examine the actual security risks that a developer may take on by using it. We will cover the low-level semantics of WebAssembly, including the Javascript API, the linear memory model, and the use of tables as function pointers. We will cover several examples demonstrating the theoretical security implications of WASM, such as linear memory being shared between modules and the passing of a Javascript 'Number' to a WASM function that expects a signed integer. We will also cover Emscripten, which is currently the most popular WebAssembly compiler toolchain. Our assessment of Emscripten will include its implementation of compiler-and-linker-level exploit mitigations as well as the internal hardening of its libc implementation, and how it's augmentation of WASM introduces new attack vectors and methods of exploitation. As part of this we will also provide practical examples of memory corruption exploits in the WASM environment that may lead to hijacking control flow or even executing arbitrary JavaScript within the context of the web page. Finally, we will provide a basic outline of best practices and security considerations for developers wishing to integrate WebAssembly into their product.

Tyler Lukasiewicz

Tyler Lukasiewicz started getting into security by playing CTFs, mostly solving RE and pwnable challenges. His first real job in security was doing vulnerability research on Qualcomm's TEE, TrustZone. He currently works as a penetration tester.

Justin Engler

Justin Engler has been involved in application security for over a decade and his work has included penetration tests, source code review, architecture reviews, threat modeling, and secure development. Justin's customers have included members of the Fortune 5, 5-person startups, and everything in between. Justin has spent months reviewing smart contracts for security issues. Justin is a Technical Director at NCC Group.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats