binary security of webassembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401...
TRANSCRIPT
![Page 1: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/1.jpg)
Everything Old is New Again:
Binary Security of WebAssembly
Daniel Lehmann* Johannes Kinder‡ Michael Pradel*
* University of StuttgartGermany
‡ Bundeswehr University MunichGermany
![Page 2: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/2.jpg)
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Source program
WebAssembly
• Fast, low-level, portable bytecode
• Support in browsers, Node.js, standalone VMs
• Compiled from C, C++, Rust, Go, ...
2
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
Client-side
WebAssembly binary
Server-side /
Standalone VMs
![Page 3: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/3.jpg)
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Source program
Security?
3
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
WebAssembly binary
AAAAAAAAA...
• Virtual memory
• Stack canaries
• Control-Flow Integrity (CFI)
• ...
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...
Native
?><
![Page 4: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/4.jpg)
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Source program
Security?
4
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
WebAssembly binary
AAAAAAAAA...
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...
Native
“At worst, a buggy or exploited Web-
Assembly program can make a mess of the data in its own memory.”
“Data execution prevention and stack
smashing protection are not neededby WebAssembly programs.”
github.com/WebAssembly/design
Haas et al., PLDI 2017
![Page 5: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/5.jpg)
Contributions
I. In-depth security analysis of WebAssembly
• Linear memory
• Mitigations
II. Library of attack primitives
III. Proof-of-concept exploits on three platforms
IV. Measurements on real-world binaries
5
![Page 6: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/6.jpg)
Contributions
I. In-depth security analysis of WebAssembly
• Linear memory
• Mitigations
II. Library of attack primitives
III. Proof-of-concept exploits on three platforms
IV. Measurements on real-world binaries
6
![Page 7: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/7.jpg)
Attack Outline
7
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Buffer overflow on
unmanaged stack
Sensitive heap data
XSS in the browser
document.write(str)
Stack Canaries
Unmapped Pages
Mitigations?
![Page 8: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/8.jpg)
Managed vs. Unmanaged Data
• Managed by VM: scalar variables, return addresses
• Unmanaged data in memory:
8
✓
Unmanaged
stack,
used by 33%
of all functions
malloc(...)
Heap allocations
char array[10]
struct Type complex
Arrays, structs
void function(int* out)
Address taken, e.g.,
out parameters
const char* string = "..."
Global data, e.g.,
string literals
(local $l i32) call $func
![Page 9: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/9.jpg)
...
return address
stack canary
buf
...
return address
stack canary
buf
Buffer Overflow – Native
9
void vuln(char* src) {char buf[8];strcpy(buf, src);
} rsp
Overflow
Native stack,
e.g., x86-64Legacy code base
![Page 10: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/10.jpg)
...
other
buf
...
other
buf
Buffer Overflow – WebAssembly
10
void vuln(char* src) {char buf[8];strcpy(buf, src);
}
Legacy code base
void caller() {char other[8];vuln(src);
}
$sp
Overflow
Unmanaged stack
Managed data
...
return address
![Page 11: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/11.jpg)
Attack Outline
11
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Buffer overflow on
unmanaged stack
Sensitive heap data
XSS in the browser
document.write(str)
Stack Canaries
Unmapped Pages
Mitigations?
![Page 12: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/12.jpg)
...Heap
Stack
Static
...Heap
Stack
Static
• Single 32-bit memory space
• Contains all unmanaged data
• No "holes", ptr ∈ [0, max_mem]
• No page protections
• No unmapped pages
• Always writable
• No ASLR, fully deterministic
Linear Memory
12
0
higher
addresses
Overflow
![Page 13: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/13.jpg)
Attack Outline
13
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Buffer overflow on
unmanaged stack
Sensitive heap data
XSS in the browser
document.write(str)
Stack Canaries
Unmapped Pages
Mitigations?
![Page 14: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/14.jpg)
XSS in Browser: Demo
14
std::string html = "<img…";pnm2png(input, output);html += output + ">";document.write(html);
void pnm2png(char* input) {// CVE-2018-14550
}
Heap"<img...>"
Stack
Static
C++ web application0
higher
addressesHeap
"<img...>"
StackAAAA...
Static
alert(...)Stack-to-heap
overflow
![Page 15: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/15.jpg)
XSS in Browser: Demo
15
![Page 16: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/16.jpg)
More Primitives...
16
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Stack-based
buffer overflow
Heap data
Stack canaries Unmapped pages Safe unlinking
Other stack frames Constant data
Wasm CFI
Heap metadata
corruption
Stack
overflow
Browser:
XSS
Node.js:
exec()WASI:
fwrite()Redirect calls
![Page 17: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/17.jpg)
Stack → Heap Overwrite → XSS
17
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Safe unlinking
Other stack frames Constant data
Wasm CFI
Heap metadata
corruption
Stack
overflow
Browser:
XSS
Node.js:
exec()WASI:
fwrite()Redirect calls
Stack-based
buffer overflow
Heap data
Stack canaries Unmapped pages
![Page 18: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/18.jpg)
Constant data
Stack-based
buffer overflow
Heap data
Stack canaries Unmapped pages
Stack
overflow
Browser:
XSS
WASI:
fwrite()
asd
Heap Overflow → Function Ptr → RCE
18
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Safe unlinking
Other stack frames
Heap metadata
corruption
Node.js:
exec()Redirect calls
Wasm CFI
![Page 19: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/19.jpg)
Safe unlinking
Heap data Other stack frames
Heap metadata
corruption
Stack
overflow
Browser:
XSS
Node.js:
exec()Redirect calls
Wasm CFI
Stack → String Literal → File Write
19
1. Write Primitive
2. Overwrite Data
3. Malicious Action
Stack-based
buffer overflow
Stack canaries Unmapped pages
Constant data
WASI:
fwrite()
const char* filename = "benign.txt"
![Page 20: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/20.jpg)
20
![Page 21: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/21.jpg)
Summary
21
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ...
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...<
WebAssembly binary securityManaged vs.
unmanaged data
Linear memory
Attack primitives and mitigations PoCs on three platforms
![Page 22: Binary Security of WebAssembly · 22 6100 6d73 0001 0000 0a01 6002 7f01 6000 7f02 007f 0d02 0401 6f68 7473 ... < WebAssembly binary security Managed vs. unmanaged data Linear memory](https://reader034.vdocuments.site/reader034/viewer/2022051912/600269e2d8fdbf1cfd5b6af3/html5/thumbnails/22.jpg)
22
6100 6d73 0001 00000a01 6002 7f01 60007f02 007f 0d02 04016f68 7473 ... <
WebAssembly binary securityManaged vs.
unmanaged data
Linear memory
Attack primitives and mitigations PoCs on three platforms
457f 464c 0102 00010003 003e 0001 00000d70 0000 0000 00000040 0000 ...
small icons: icons8.com
[email protected]@[email protected]
Questions?