WebAssembly, also known as WASM, is a program that was launched in 2017 and quickly rose to prominence. Although it has many significant advantages, it has also led to a Pandora’s box of security vulnerabilities potential malicious uses, from cryptocurrency mining to malware code obfuscation.
Before we look at its vulnerabilities, it’s important to first understand what WASM is, and the benefits it offers.
What is Webassembly good for?
Webassembly is a compiler that makes it possible to write code in a variety of languages and execute it efficiently in web applications.
WebAssembly (WASM) is a new type of open source compiler that can be run in web browsers. It is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++ and Rust with a compilation target so that they can run on the web. Developers can write code in those languages, and then implement it in web applications using a WASM module.
WASM was created to support high-performance web applications, for instance, things like video, multimedia, sophisticated graphics, and 3D environments, that can’t be created with JavaScript, at least not in a way that enables execution.
Advantages of Webassembly
A WASM file operates at speeds close to those of native code, almost like a native client application. Since WASM is compiled, it doesn’t break the web.
That’s not all. The benefits of the Webassembly program over other programming languages include:
- Portable — WASM programs run code in different browsers and other platforms.
- Compact —A WASM file is already in bytecode and directly executed by the browser.
- Fast execution — Developers spend less time parsing and optimizing with WASM.
- Support — Old programs coded in C/C++ that previously required dependencies can be compiled with WASM, making them easier to support.
Is Webassembly secure?
Code created in WebAssembly is compiled into a binary format, which makes it difficult to understand, debug, or reverse engineer. This creates a series of vulnerabilities in Webassembly modules.
WASM, with its binary format, offers major benefits in browser execution and functions, but there is also a dark side to Webassembly modules. Since Webassembly is an open standard, anyone can access it and it’s impossible to control. That means that malicious actors can easily access its vulnerabilities to launch malicious code anywhere a WASM program runs.
Webassembly security concerns and issues
WASM limits visibility, requires sandboxing, and relies on the memory of the host machine. These characteristics create vulnerabilities and security concerns.
Security and function are often at odds on a web browser, and WASM is no exception. Since WASM is critical in the programmatic world, GeoEdge decided to research its vulnerabilities.
With limited visibility of vulnerabilities, a WASM file needs a sandboxed runtime environment, same as the JavaScript sandbox. That’s a problem, because when it mixes with JavaScript in the same host environment, WASM is exposed to JavaScripts many vulnerabilities.
WASM isn’t alone. In a previous posts we discussed sandboxing, why it was created and how it was supposed to enable a safer process to run iFrames. Unfortunately, we’ve seen how attackers are able to easily bypass it by serving code in a cross-origin platform, and leverage the ability of code served in the same origin platform by navigating through sandboxing.
Memory management is another security concern, or dark side, in WASM. WASM has no dedicated memory, but rather relies on the memory of the host machine to store the data it needs to function. When the memory runs out, it can create a buffer overflow, or the program may crash, leading to a poor user experience.
WASM malware
Bad actors often take advantage of WASM’s vulnerabilities, injecting code that leads to auto-direct attacks that expose users to malware.
For example, GeoEdge’s security team recently discovered an example of an WASM exploit. The auto-redirect attack uses WASM to run JavaScript code that leads the user to an undesireable landing page (like an html page or blog post) without any interaction. The landing pages they lead to may contain malicious activity, download executable files to the user’s machine/device, or simply regular apps looking for new users according to a variety of global variables.
These attackers use WASM to run as Javascript (JS) code to render security company bots useless and run their attacks undetected. It is just one example of the type of vulnerabilities introduced by WASM, and one of the ways it can be used to spread malware.
Webassembly obfuscation
Since Webassembly is compiled into a binary format, visibility is limited which enable various obfuscation attack vectors.
Bad actors can take control of a machine or steal sensitive data by injecting code into a WASM module that’s being executed on that machine. This type of code injection is often used to take over a machine to mine cryptocurrency.
The only way to prevent this activity is to scan the source code and all its function parameters for unexpected behavior and vulnerabilities, before you compile it into a Webassembly module.
How it works
The website loads, and ads appear. Below we can see a sample creative that is being shown before the attack takes place (Cute, right?):
In the screenshot below we can see the Webassembly code that runs the JavaScript
Below we can see the Redirect code that is executed by the wasm:
And finally, we see the landing page that the user is being led to involuntarily:
Thwarting Malicious Attempts
With every new technology developed to improve the user experience and the processing of data, cybercriminals are close behind, looking for ways to exploit these new technologies. We can now see how these attackers are using WASM JavaScript APIs to avoid being detected by security companies like GeoEdge.
Since the WASM module has already proven a fertile attack surface on any browser, GeoEdge’s security team is tracking it closely, looking into its vulnerabilities, and remaing vigilant for new and obfuscated attacks.
