Two-Faces of WASM Security

hello everyone welcome to our talk so today we're going to talk about our wasum security or webassembly a security so my name is Kai Johan I'm a security researcher from cystic and my partner poncho from mask from brave yes just a little background about ourselves so a little bit disclaimer set forth the slides here we provide is based on our knowledge and and some of you may know our semester evolving very fast so regarding the design the implementation they're moving very fast so I would encourage you guys to always check the spec online so to catch up the latest change and a quick question here so how many of you have used was a reproduction

or hands-on experience with wisdom good good not many people okay yeah so in today's agenda we are going to give a quick intro about what is awesome and why awesome and then a very simple 101 example about wasum and then we will jump into the awasum strap module and also to see how critter miners can can be working seamlessly with awesome and also we give some exploiting bugs in wasum so what is awesome awesome is a binary instruction format designs the target for compilation of high-level languages like C C++ and its aim to deploy on the web for client-server applications so you can think of Oh what is awesome wasn't basically is from a source of C C++ or any other like high

line high level language and then will become part of the or the JavaScript I would say that can be you know deployed directly with the web so and why we encourage people to use wasum and what's the benefit of using it so here is a quick comparison example of between JavaScript and wasum so you can we can tell that you know JavaScript from here you can it has to go through all the stage of parsing compiled optimization sq cetera and then wasn't just echo compiled optimized together and execute so so in shot javascript is slow and wasum is you know performs much better but doesn't mean that Rossum is a replacement for JavaScript actually it's no so the goal

of the wasum here is to to to provide a kind of a good integration for between the backhand and the and in the front-end so a good example is here is that so there's some you know high CPU intensive tasks like you know animation or image processing it has to happen on the on the web browser so it would be good to to upload this task not from not to do it through JavaScript but through doing you through wasum so that it could you know boost the performance on the other on your browser's on the front end side so wasum supports these kinds of you know very popular language support C C++ Java rust Golan and so all this

language can be can be converted or can be compiled into into awesome so there's a two called EMCC so do all this compilation for you it will help you to get get into the the awesome binary code directly so and and in here I want to talk about big amount wasum there are some other attempts try to achieve the you know to boost the the web performance like flash like ActiveX and also j sm j s if you've are familiar with asm.js lippies is a compiled it's a set of instruction compiled from from javascript so in order to so that the browser does not need to compile this code again so that you can execute

directly so that will keep their performance improvement a lot so the bottom here is is to try to provide a full-blown solution so that you don't need to up you don't need to worry about you know kind of security concern and it's more web processed friendly and and also it's more like a previous slide shows that it does the size of what water is quite small comparing to a flash or ActiveX okay so let's give type into a simple example of what is wasum so then okay let me stop here a little bit to talk about how this this conversion the compile process looks like so a back hand engineer a CC plus plus back an

engineer he done his work in C C++ and he used an Krypton to convert it to compile his source code into into awesome Co and and so that the JavaScript or the charge screen developer can use the washing dot library just like other JavaScript library and it can be consumed by all these mainstream browsers for Firefox Chrome Safari etc okay so this is a very simple hello world example c c++ and you can you can tell that from after the encrypting compiled so there's this is no like like some this is the text format of the the binary code is it will be used for debug purpose but i mean by nature is the binary code so and then

from the is called west by the way so from here and you can you can see on the right side there is some JavaScript code is loading the wasum the hollow dot Watson library and then and then do some work and execute the simple function simple main function hello and the bring out hello world and in the recording the the wasum memory module is quite I would say it's quite straightforward become a composer of two parts first it function table which consider the instruction is a dresses which is RB there are some embedding instructions can be leveraged by lyrics by the blossom and store in the function tables and you also use the linear memory to

store their data we will show more example about the how we can exploit the vulnerability of or not wall ability of the linear linear memory but some some malicious usage or insecure usage of linear memory we can see there's some exploit example from there ok let's talk about the security aspect from wasum so this is the there's web simply blink regarding there the security design encourage you guys take a look there so the goal here is to wasn't by decide from its nature is to aim to a protect user from honorable a malicious code and also provide developer primitive medication to write safe application so it has this it has this control flow integrity check so in in order by doing

that ensure the protection against control flow hijacking attacks with that said and also it provides the indirect function course subject to a signature check so with this help so all this smash smash stack attack can be can be you know can mitigate by by webassembly awasum ok so let's look into some of these malicious modules so you guys must familiar with this tech ham or key lockers so Watson can be definitely used to to achieve that to turn on your webcam to record your your your your keystrokes and and what makes what makes it more interesting is that so because of the is because the format the Watson comes up and also the specification it

provides the antivirus company I still like working on you know to try to detect this kind of a new threat even though they have they're working very well in the traditional task game or a traditional wakie locker but from wasum standpoint like they're still working on to fight with this this technology and another very interesting story about chi miners so like I mentioned earlier so awesome is good at you know high CPU intensive tax so combining definitely is one of them so there's like so you know the malicious website can can can embed it like hey can embed it some bad you know Corey mining was module so that when when user access to the to the website download

the of the water module and then you start mining on users browser and then send it back to the coin hub and and and also that the the website owners shared you know they share the profit with the wrister quahog so that's a quite interesting story here but but definitely there are some people you know some alysha's attackers malicious user at hackers try to you know use wasum to achieve you know their the koi mining attacks and another story about you know malicious Google Google Chrome extension contains mining x' using wasum as well so a little bit more about the koi mining with awesome so basically you know a lot of the Kryptonite is the one

of the popular algorithms and improve of work so it keeps this you know it gives the late the latency dependency it requires access to memory so this are the widely adopted the critical mining algorithms was used in wasum based on observation so so in we still have ways to detect that say thanks to not the binary is my stable not change too often so which means the hash value is kind of fixed and we can also you know filter filter out the connection to the centralized services and with the wasum to see our wasn't dumped so you can you can see some of this you know interesting viewed with underscore critical night underscore and people you know people

are not seems like unlikely to modify these streams okay so some other views some other interesting views are in the in the water module can be leveraged to detect whether there's critical mining Rossum is running on your browser okay some some interesting tricks so wasum can you know once the the malicious sports module load into the browser so basically you can you know you can open up a new browser sorry a new browser page and browser window with with the super tiny size and you can you can even hardly find other words where is the in the my desktop but you can still you can look into your CPU some and then when your laptop become Oh overheat or or you

check your process list to figure out there some some anomaly anomalous a process is utilizing a lot of CPU you might want to take a look at that okay now I will hand it to upon you to go through the water bow-wow some modules okay that's okay hello everyone in the next couple of slides we'll be looking at one rebel was a modules the thing that we want to highlight over the next couple of slides is that C C++ bugs can cause problems in your module so definitely analyze your modules thoroughly before deploying them introduction let's start with a very simple snippet this is a very simple code which has a character array that is

user control if the user inputs are very simple ask a string the you and it's printed on the screen as we see here my but what happens when this input string can be modified and instead of like using an ask a stirring the attacker goes a little sophisticated and tries for like a format string here the problem with this is as I described earlier that we have a linear model here with webassembly so the attacker will be able to read the memory and hence leak the secret as we can see here next we look at buffer overflow this is an excerpt from the web assembly documentation essentially access it says that access to the linear memories are

bound check at the lineal regional level but this does not avoid the possibility of overriding variables so if an attacker is able to control a controller string so let's look at the memory diagram here so we have a character input followed by the user if the user inputs of any malicious string says BBB admin it fills of the first part of the memory correctly but then it overrides the user with admin and that causes the EMGs code to be invoke a MJS is basically an interface to connect your native code with your JavaScript environment so it kind of leaks the secret so what what we are trying to focus here is like C C++ code bugs can

be a problem so definitely investigate your code before going forward so you as you can see here the input address and the user address are at a linear different so any input which is not expected can cause problems in the code buffer flows kind of get interesting when web assembly has access to the Dom in this case the input that we saw earlier is overwritten by a series of pay followed by an image so this will essentially override the body of the dock and as cause an exercise so similar to exercise it can cause other bugs as well so really be careful when you're in interfacing the native code with JavaScript indirect functions this is

also one more good example of how Buffalo's can be a problem with web assembly so this is a very simple example of guestbook where a user can type in a message there's a message length and based on the language they can be translation that goes on the user kind of sets the language translation language to English so like if the user is nice and like this prints out the payload we can see that the message will be filled with like the hello my friend message length will be correct and since the translation function is set to print in English it will print as is but the problem again comes back to what if the user is has a malicious intent and

overrides the payload with something that's not expected so here the payload starts with overriding the message with like an alert document.cookie it then overrides a complete message pulls up the message length with 64 and then overrides the font the function with a built in function so essentially like Emscripten provides a lot of built-in function and these kind of attacks can be used to exfiltrate data so it's like like we saw earlier instead of like a normal message our message was overflowed so that the function address for printing English was overwritten by EMS rond script and that caused the password to be eat the the next kind of bug that we want to look at is a type infusion it's a big

basic issue where a variable is overwritten with user control struck but attack a control structure and basically whenever that func functions within that structure coil it leads to malicious code meaning is futile so in this case like if you tried what you see it prints malicious code executed but the good thing with was it means like their signature checks present so if you try to do this with EMCC it fails and this happens because it tries to check for the function signature before going forward but the problem with this is like what happens when we try to match the signature so in this case instead of using a double in the argument we change it to a

boy and this essentially bypasses the signature the reason why this happens is because the signature checks are happening at the webassembly layer so they are able to they're not able to differentiate between the granularity at the c c++ layer but this can be avoided by using a CFI fly so always use that and if you use that it essentially results in a try to conclude this talk we just want to highlight that offensive was Bob assembly is still in its early stages but we are we are seeing a lot of life evolving malicious modules the mitigations are helpful they are really web the web assembly group at WEC is also what we really hard to get it in

place but they are still in progress so definitely analyze a code it's a shared responsibility so look at that I don't so if you want to look at the code snippets IV shared here it's on the github link so feel free to check that also we get out questions any questions from the audience

hi you mostly focused on what looked like the C's equals plus toolchain are there similar mitigations and Prevention's for like a golang workflow or a rust workflow looked at the environment after reading respect I am I I know there are being our work there's been work on that but yeah so we haven't like really investigated at the same kind of bugs exist in that too chin as well are you planning on doing like a future talk maybe on some of the lower level things like shared memory timing attacks yes so threading is one important thing that is being looked at rather than you I mean Specter stuff not like not attacks against your own logic but more

like exporting them as a mechanism for just more general compromise anymore QA we have plenty of time so ask away well thank you guys it's been a pleasure thank you thank you everyone [Applause]