Skip to main content
To KTH's start page

Artificial Software Diversification for WebAssembly

Time: Tue 2022-10-18 10.00

Location: D31, Lindstedtsvägen 5, Stockholm

Language: English

Subject area: Electrical Engineering

Doctoral student: Javier Cabrera Arteaga , Programvaruteknik och datorsystem, SCS, SCS

Opponent: Professor Tobias Wrigstad, Uppsala universitet, Uppsala

Supervisor: Benoit Baudry, Programvaruteknik och datorsystem, SCS; Martin Monperrus, Tribologi, Teoretisk datalogi, TCS

Export to calendar

QC 20220909

Abstract

WebAssembly has become the fourth official web language, along with HTML, CSS and JavaScript since 2019. WebAssembly allows web browsers to execute existing programs or libraries written in other languages, such as C/C++ and Rust. In addition, WebAssembly evolves to be part of edge-cloud computing platforms. Despite being designed with security as a premise, WebAssembly is not exempt from vulnerabilities. Therefore, potential vulnerabilities and flaws are included in its distribution and execution, highlighting a software monoculture problem. On the other hand, while software diversity has been shown to mitigate monoculture, no diversification approach has been proposed for WebAssembly. This work proposes software diversity as a preemptive solution to mitigate software monoculture for WebAssembly.

Besides, we provide implementations for our approaches, including a generic LLVM superdiversifier that potentially extends our ideas to other programming languages. We empirically demonstrate the impact of our approach by providing Randomization and Multivariant Execution (MVE) for WebAssembly. Our results show that our approaches can provide an automated end-to-end solution for the diversification of WebAssembly programs. The main contributions of this work are:

  • We highlight the lack of diversification techniques for WebAssembly through an exhaustive literature review.
  • We provide randomization and multivariant execution for WebAssembly with the implementation of two tools, CROW and MEWE respectively.
  • We include constant inferring as a new code transformation to generate software diversification for WebAssembly.
  • We empirically demonstrate the impact of our technique by evaluating the static and dynamic behavior of the generated diversification.

Our approaches harden observable properties commonly used to conduct attacks, such as static code analysis, execution traces, and execution time.

urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-317331