WebAssembly is a new W3C standard, providing a portable target for compilation for various languages.
All major browsers can run WebAssembly programs, and its use extends beyond the web: there is interest in compiling cross-platform desktop applications, server applications, IoT and embedded applications to WebAssembly because of the performance and security guarantees it aims to provide.
Indeed, WebAssembly has been carefully designed with security in mind.
In particular, WebAssembly applications are sandboxed from their host environment.
However, recent works have brought to light several limitations that expose WebAssembly to traditional attack vectors.
Visitors of websites using WebAssembly have been exposed to malicious code as a result.

In this paper, we propose an automated static program analysis to address these security concerns.
Our analysis is focused on information flow and is compositional.
For every WebAssembly function, it first computes a summary that describes in a sound manner where the information from its parameters and the global program state can flow to.
These summaries can then be applied during the subsequent analysis of function calls.
Through a classical fixed-point formulation, one obtains an approximation of the information flow in the WebAssembly program.
This results in the first compositional static analysis for WebAssembly.
On a set of 34 benchmark programs spanning 196kLOC of WebAssembly, we compute at least 64% of the function summaries precisely in less than a minute in total.
Original languageEnglish
Title of host publication20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020
PublisherIEEE
Pages13-24
Number of pages12
ISBN (Electronic)978-1-7281-9248-2
Publication statusPublished - 27 Sep 2020
Event20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAMsc 2020, September 27-28, 2020 -
Duration: 27 Sep 202028 Sep 2020
http://www.ieee-scam.org/2020/

Conference

Conference20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAMsc 2020, September 27-28, 2020
Abbreviated titleSCAM 2020
Period27/09/2028/09/20
Internet address

ID: 53757989