WebAssembly, also known as WASM, is a program that was launched in 2017 and quickly rose to prominence. Although it has many significant advantages, it has also led to a Pandora’s box of security vulnerabilities potential malicious uses, from cryptocurrency mining to malware code obfuscation.
Before we look at its vulnerabilities, it’s important to first understand what WASM is, and the benefits it offers.
What is Webassembly good for?
Webassembly is a compiler that makes it possible to write code in a variety of languages and execute it efficiently in web applications.
WebAssembly (WASM) is a new type of open source compiler that can be run in web browsers. It is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++ and Rust with a compilation target so that they can run on the web. Developers can write code in those languages, and then implement it in web applications using a WASM module.
Advantages of Webassembly
A WASM file operates at speeds close to those of native code, almost like a native client application. Since WASM is compiled, it doesn’t break the web.
That’s not all. The benefits of the Webassembly program over other programming languages include:
- Portable — WASM programs run code in different browsers and other platforms.
- Compact —A WASM file is already in bytecode and directly executed by the browser.
- Fast execution — Developers spend less time parsing and optimizing with WASM.
- Support — Old programs coded in C/C++ that previously required dependencies can be compiled with WASM, making them easier to support.
Is Webassembly secure?
Code created in WebAssembly is compiled into a binary format, which makes it difficult to understand, debug, or reverse engineer. This creates a series of vulnerabilities in Webassembly modules.
WASM, with its binary format, offers major benefits in browser execution and functions, but there is also a dark side to Webassembly modules. Since Webassembly is an open standard, anyone can access it and it’s impossible to control. That means that malicious actors can easily access its vulnerabilities to launch malicious code anywhere a WASM program runs.
Webassembly security concerns and issues
WASM limits visibility, requires sandboxing, and relies on the memory of the host machine. These characteristics create vulnerabilities and security concerns.
Security and function are often at odds on a web browser, and WASM is no exception. Since WASM is critical in the programmatic world, GeoEdge decided to research its vulnerabilities.
WASM isn’t alone. In a previous posts we discussed sandboxing, why it was created and how it was supposed to enable a safer process to run iFrames. Unfortunately, we’ve seen how attackers are able to easily bypass it by serving code in a cross-origin platform, and leverage the ability of code served in the same origin platform by navigating through sandboxing.
Memory management is another security concern, or dark side, in WASM. WASM has no dedicated memory, but rather relies on the memory of the host machine to store the data it needs to function. When the memory runs out, it can create a buffer overflow, or the program may crash, leading to a poor user experience.
Bad actors often take advantage of WASM’s vulnerabilities, injecting code that leads to auto-direct attacks that expose users to malware.
Since Webassembly is compiled into a binary format, visibility is limited which enable various obfuscation attack vectors.
Bad actors can take control of a machine or steal sensitive data by injecting code into a WASM module that’s being executed on that machine. This type of code injection is often used to take over a machine to mine cryptocurrency.
The only way to prevent this activity is to scan the source code and all its function parameters for unexpected behavior and vulnerabilities, before you compile it into a Webassembly module.
How it works
The website loads, and ads appear. Below we can see a sample creative that is being shown before the attack takes place (Cute, right?):
Below we can see the Redirect code that is executed by the wasm:
And finally, we see the landing page that the user is being led to involuntarily:
Thwarting Malicious Attempts
Since the WASM module has already proven a fertile attack surface on any browser, GeoEdge’s security team is tracking it closely, looking into its vulnerabilities, and remaing vigilant for new and obfuscated attacks.