The Security Risk of Lacking Compiler Protection in WebAssembly

11/02/2021
by   Quentin Stiévenart, et al.
0

WebAssembly is increasingly used as the compilation target for cross-platform applications. In this paper, we investigate whether one can rely on the security measures enforced by existing C compilers when compiling C programs to WebAssembly. We compiled 4,469 C programs with known buffer overflow vulnerabilities to x86 code and to WebAssembly, and observed the outcome of the execution of the generated code to differ for 1,088 programs. Through manual inspection, we identified that the root cause for these is the lack of security measures such as stack canaries in the generated WebAssembly: while x86 code crashes upon a stack-based buffer overflow, the corresponding WebAssembly continues to be executed. We conclude that compiling an existing C program to WebAssembly without additional precautions may hamper its security, and we encourage more research in this direction.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

12/22/2021

Security Risks of Porting C Programs to WebAssembly

WebAssembly is a compilation target for cross-platform applications that...
10/31/2019

Existence of Stack Overflow Vulnerabilities in Well-known Open Source Projects

A stack overflow occurs when a program or process tries to store more da...
03/25/2022

C to Checked C by 3C

Owing to the continued use of C (and C++), spatial safety violations (e....
12/30/2020

Stack-based Buffer Overflow Detection using Recurrent Neural Networks

Detecting vulnerabilities in software is a critical challenge in the dev...
10/03/2019

An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples

Software developers share programming solutions in Q A sites like Stac...
09/17/2019

Variable Record Table: A Run-time Solution for Mitigating Buffer Overflow Attack

We present a novel approach to mitigate buffer overflow attack using Var...
04/29/2020

Analyzing Smart Contracts: From EVM to a sound Control-Flow Graph

The EVM language is a simple stack-based language with words of 256 bits...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.