80% Seminar About Automatic WebAssembly Diversficiation
Since its 2015 inception, WebAssembly (Wasm) has experienced swift integration, with languages such as Rust and C/C++ now compiled to Wasm and compatible with all major browsers. Crucially, Wasm's adoption extends beyond browsers, with platforms like Fastly and Cloudflare incorporating it into their core services. However, vulnerabilities have been detected in Wasm's implementations, both in browsers and standalone runtimes, mostly due to software monoculture.
Time: Wed 2023-09-06 10.00
Location: Fantum
Video link: Zoom
Participating: Javier Cabrera
Our work explores software diversification as a proactive solution to address these vulnerabilities. We generate hundreds of variants that share functionality, while exhibiting diverse execution behaviors. This presentation outlines four contributions in this area.
First, we discuss our CROW, a superdiversification engine for Wasm implemented within the LLVM compilation pipeline. Second, we introduce MEWE, which embeds multiple variants into a single program, supporting runtime randomization. MEWE has been evaluated on worldwide content delivery network. Third, considering the evolving landscape of Wasm tools and the introduction of new compilers outputting Wasm binaries via non-LLVM methodologies, we unveil a Wasm-to-Wasm diversification solution, wasm-mutate. We demonstrate how it can be used to prevent Spectre attacks on WebAssembly programs. Finally, we demonstrate how commercial solutions' are inaccurate in detecting Wasm cryptomalwares variants and how diversification can be used to rectify this.