Wasmati: An efficient static vulnerability scanner for WebAssembly

Wasmati: An efficient static vulnerability scanner for WebAssembly

WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser’s JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulner...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2022-07, Vol.118, p.102745, Article 102745
Hauptverfasser: Brito, Tiago, Lopes, Pedro, Santos, Nuno, Santos, José Fragoso
Format: Artikel
Sprache:eng
Schlagworte:
Applications programs
CPG
Format
Graphical representations
High level languages
Languages
Security
Specification and description languages
Static analysis
Vulnerability
WebAssembly
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page 102745
container_title Computers & security
container_volume 118
creator Brito, Tiago
Lopes, Pedro
Santos, Nuno
Santos, José Fragoso
description WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser’s JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulnerabilities such as buffer overflows or format strings can be transferred over from the original programs down to the cross-compiled binaries. As a result, this possibility of incorporating vulnerabilities in WebAssembly modules has widened the attack surface of modern web applications. This paper presents Wasmati, a static analysis tool for finding security vulnerabilities in WebAssembly binaries. It is based on the generation of a code property graph (CPG), a program representation previously adopted for detecting vulnerabilities in various languages but hitherto unapplied to WebAssembly. We formalize the definition of CPG for WebAssembly, introduce techniques to generate CPG for complex WebAssembly, and present four different query specification languages for finding vulnerabilities by traversing a program’s CPG. We implemented ten queries capturing different vulnerability types and extensively tested Wasmati on four heterogeneous datasets. We show that Wasmati can scale the generation of CPGs for large real-world applications and can efficiently find vulnerabilities for all our query types. We have also tested our tool on WebAssembly binaries collected in the wild and identified several potential vulnerabilities, some of which we have manually confirmed to exist unless the enclosing application properly sanitizes the interaction with such affected binaries.
doi_str_mv 10.1016/j.cose.2022.102745
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2688596489</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404822001407</els_id><sourcerecordid>2688596489</sourcerecordid><originalsourceid>FETCH-LOGICAL-c372t-3cf133d4587e2cc7e01958d9582bd54098105543bead3e7f3b0e4f1b734cd78f3</originalsourceid><addsrcrecordid>eNp9kMlqwzAQhkVpoenyAj0Zenaq1ZJLL2noBoFeWnIUtjQCGcdOJSWQt6-Me-5hGGb4_1k-hO4IXhJMqoduacYIS4opzQ0quThDC6IkLSuK1TlaZJEsOebqEl3F2GFMZKXUAj1vm7hrkn8sVkMBznnjYUhFTLlniuOhHyA0re99OhXRNEMuCzeGYgvtKkbYtf3pBl24po9w-5ev0ffry9f6vdx8vn2sV5vSMElTyYwjjFkulARqjARMaqFsDtpawXGtCBaCsxYay0A61mLgjrSScWOlcuwa3c9z92H8OUBMuhsPYcgrNc2_iLriqs4qOqtMGGMM4PQ--F0TTppgPbHSnZ5Y6YmVnlll09Nsgnz_0UPQceJgwPoAJmk7-v_sv1WEcbQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2688596489</pqid></control><display><type>article</type><title>Wasmati: An efficient static vulnerability scanner for WebAssembly</title><source>Access via ScienceDirect (Elsevier)</source><creator>Brito, Tiago ; Lopes, Pedro ; Santos, Nuno ; Santos, José Fragoso</creator><creatorcontrib>Brito, Tiago ; Lopes, Pedro ; Santos, Nuno ; Santos, José Fragoso</creatorcontrib><description>WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser’s JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulnerabilities such as buffer overflows or format strings can be transferred over from the original programs down to the cross-compiled binaries. As a result, this possibility of incorporating vulnerabilities in WebAssembly modules has widened the attack surface of modern web applications. This paper presents Wasmati, a static analysis tool for finding security vulnerabilities in WebAssembly binaries. It is based on the generation of a code property graph (CPG), a program representation previously adopted for detecting vulnerabilities in various languages but hitherto unapplied to WebAssembly. We formalize the definition of CPG for WebAssembly, introduce techniques to generate CPG for complex WebAssembly, and present four different query specification languages for finding vulnerabilities by traversing a program’s CPG. We implemented ten queries capturing different vulnerability types and extensively tested Wasmati on four heterogeneous datasets. We show that Wasmati can scale the generation of CPGs for large real-world applications and can efficiently find vulnerabilities for all our query types. We have also tested our tool on WebAssembly binaries collected in the wild and identified several potential vulnerabilities, some of which we have manually confirmed to exist unless the enclosing application properly sanitizes the interaction with such affected binaries.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2022.102745</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Applications programs ; CPG ; Format ; Graphical representations ; High level languages ; Languages ; Security ; Specification and description languages ; Static analysis ; Vulnerability ; WebAssembly</subject><ispartof>Computers &amp; security, 2022-07, Vol.118, p.102745, Article 102745</ispartof><rights>2022 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. Jul 2022</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c372t-3cf133d4587e2cc7e01958d9582bd54098105543bead3e7f3b0e4f1b734cd78f3</citedby><cites>FETCH-LOGICAL-c372t-3cf133d4587e2cc7e01958d9582bd54098105543bead3e7f3b0e4f1b734cd78f3</cites><orcidid>0000-0001-5982-9794</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.cose.2022.102745$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,780,784,3550,27924,27925,45995</link.rule.ids></links><search><creatorcontrib>Brito, Tiago</creatorcontrib><creatorcontrib>Lopes, Pedro</creatorcontrib><creatorcontrib>Santos, Nuno</creatorcontrib><creatorcontrib>Santos, José Fragoso</creatorcontrib><title>Wasmati: An efficient static vulnerability scanner for WebAssembly</title><title>Computers &amp; security</title><description>WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser’s JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulnerabilities such as buffer overflows or format strings can be transferred over from the original programs down to the cross-compiled binaries. As a result, this possibility of incorporating vulnerabilities in WebAssembly modules has widened the attack surface of modern web applications. This paper presents Wasmati, a static analysis tool for finding security vulnerabilities in WebAssembly binaries. It is based on the generation of a code property graph (CPG), a program representation previously adopted for detecting vulnerabilities in various languages but hitherto unapplied to WebAssembly. We formalize the definition of CPG for WebAssembly, introduce techniques to generate CPG for complex WebAssembly, and present four different query specification languages for finding vulnerabilities by traversing a program’s CPG. We implemented ten queries capturing different vulnerability types and extensively tested Wasmati on four heterogeneous datasets. We show that Wasmati can scale the generation of CPGs for large real-world applications and can efficiently find vulnerabilities for all our query types. We have also tested our tool on WebAssembly binaries collected in the wild and identified several potential vulnerabilities, some of which we have manually confirmed to exist unless the enclosing application properly sanitizes the interaction with such affected binaries.</description><subject>Applications programs</subject><subject>CPG</subject><subject>Format</subject><subject>Graphical representations</subject><subject>High level languages</subject><subject>Languages</subject><subject>Security</subject><subject>Specification and description languages</subject><subject>Static analysis</subject><subject>Vulnerability</subject><subject>WebAssembly</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNp9kMlqwzAQhkVpoenyAj0Zenaq1ZJLL2noBoFeWnIUtjQCGcdOJSWQt6-Me-5hGGb4_1k-hO4IXhJMqoduacYIS4opzQ0quThDC6IkLSuK1TlaZJEsOebqEl3F2GFMZKXUAj1vm7hrkn8sVkMBznnjYUhFTLlniuOhHyA0re99OhXRNEMuCzeGYgvtKkbYtf3pBl24po9w-5ev0ffry9f6vdx8vn2sV5vSMElTyYwjjFkulARqjARMaqFsDtpawXGtCBaCsxYay0A61mLgjrSScWOlcuwa3c9z92H8OUBMuhsPYcgrNc2_iLriqs4qOqtMGGMM4PQ--F0TTppgPbHSnZ5Y6YmVnlll09Nsgnz_0UPQceJgwPoAJmk7-v_sv1WEcbQ</recordid><startdate>202207</startdate><enddate>202207</enddate><creator>Brito, Tiago</creator><creator>Lopes, Pedro</creator><creator>Santos, Nuno</creator><creator>Santos, José Fragoso</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0001-5982-9794</orcidid></search><sort><creationdate>202207</creationdate><title>Wasmati: An efficient static vulnerability scanner for WebAssembly</title><author>Brito, Tiago ; Lopes, Pedro ; Santos, Nuno ; Santos, José Fragoso</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c372t-3cf133d4587e2cc7e01958d9582bd54098105543bead3e7f3b0e4f1b734cd78f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Applications programs</topic><topic>CPG</topic><topic>Format</topic><topic>Graphical representations</topic><topic>High level languages</topic><topic>Languages</topic><topic>Security</topic><topic>Specification and description languages</topic><topic>Static analysis</topic><topic>Vulnerability</topic><topic>WebAssembly</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Brito, Tiago</creatorcontrib><creatorcontrib>Lopes, Pedro</creatorcontrib><creatorcontrib>Santos, Nuno</creatorcontrib><creatorcontrib>Santos, José Fragoso</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers &amp; security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Brito, Tiago</au><au>Lopes, Pedro</au><au>Santos, Nuno</au><au>Santos, José Fragoso</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Wasmati: An efficient static vulnerability scanner for WebAssembly</atitle><jtitle>Computers &amp; security</jtitle><date>2022-07</date><risdate>2022</risdate><volume>118</volume><spage>102745</spage><pages>102745-</pages><artnum>102745</artnum><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser’s JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulnerabilities such as buffer overflows or format strings can be transferred over from the original programs down to the cross-compiled binaries. As a result, this possibility of incorporating vulnerabilities in WebAssembly modules has widened the attack surface of modern web applications. This paper presents Wasmati, a static analysis tool for finding security vulnerabilities in WebAssembly binaries. It is based on the generation of a code property graph (CPG), a program representation previously adopted for detecting vulnerabilities in various languages but hitherto unapplied to WebAssembly. We formalize the definition of CPG for WebAssembly, introduce techniques to generate CPG for complex WebAssembly, and present four different query specification languages for finding vulnerabilities by traversing a program’s CPG. We implemented ten queries capturing different vulnerability types and extensively tested Wasmati on four heterogeneous datasets. We show that Wasmati can scale the generation of CPGs for large real-world applications and can efficiently find vulnerabilities for all our query types. We have also tested our tool on WebAssembly binaries collected in the wild and identified several potential vulnerabilities, some of which we have manually confirmed to exist unless the enclosing application properly sanitizes the interaction with such affected binaries.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2022.102745</doi><orcidid>https://orcid.org/0000-0001-5982-9794</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0167-4048
ispartof Computers & security, 2022-07, Vol.118, p.102745, Article 102745
issn 0167-4048
1872-6208
language eng
recordid cdi_proquest_journals_2688596489
source Access via ScienceDirect (Elsevier)
subjects Applications programs
CPG
Format
Graphical representations
High level languages
Languages
Security
Specification and description languages
Static analysis
Vulnerability
WebAssembly
title Wasmati: An efficient static vulnerability scanner for WebAssembly
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-22T13%3A23%3A54IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Wasmati:%20An%20efficient%20static%20vulnerability%20scanner%20for%20WebAssembly&rft.jtitle=Computers%20&%20security&rft.au=Brito,%20Tiago&rft.date=2022-07&rft.volume=118&rft.spage=102745&rft.pages=102745-&rft.artnum=102745&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2022.102745&rft_dat=%3Cproquest_cross%3E2688596489%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2688596489&rft_id=info:pmid/&rft_els_id=S0167404822001407&rfr_iscdi=true