Standard

Compositional Information Flow Analysis for WebAssembly Programs. / Stiévenart, Quentin; De Roover, Coen.

20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020. IEEE, 2020. p. 13-24.

Research output: Chapter in Book/Report/Conference proceedingConference paper

Harvard

Stiévenart, Q & De Roover, C 2020, Compositional Information Flow Analysis for WebAssembly Programs. in 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020. IEEE, pp. 13-24, 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAMsc 2020, September 27-28, 2020, 27/09/20.

APA

Stiévenart, Q., & De Roover, C. (2020). Compositional Information Flow Analysis for WebAssembly Programs. In 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020 (pp. 13-24). IEEE.

Vancouver

Stiévenart Q, De Roover C. Compositional Information Flow Analysis for WebAssembly Programs. In 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020. IEEE. 2020. p. 13-24

Author

Stiévenart, Quentin ; De Roover, Coen. / Compositional Information Flow Analysis for WebAssembly Programs. 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020. IEEE, 2020. pp. 13-24

BibTeX

@inproceedings{c44420c532ad44a7877840c2a7e16550,
title = "Compositional Information Flow Analysis for WebAssembly Programs",
abstract = "WebAssembly is a new W3C standard, providing a portable target for compilation for various languages.All major browsers can run WebAssembly programs, and its use extends beyond the web: there is interest in compiling cross-platform desktop applications, server applications, IoT and embedded applications to WebAssembly because of the performance and security guarantees it aims to provide.Indeed, WebAssembly has been carefully designed with security in mind.In particular, WebAssembly applications are sandboxed from their host environment.However, recent works have brought to light several limitations that expose WebAssembly to traditional attack vectors.Visitors of websites using WebAssembly have been exposed to malicious code as a result.In this paper, we propose an automated static program analysis to address these security concerns.Our analysis is focused on information flow and is compositional.For every WebAssembly function, it first computes a summary that describes in a sound manner where the information from its parameters and the global program state can flow to.These summaries can then be applied during the subsequent analysis of function calls.Through a classical fixed-point formulation, one obtains an approximation of the information flow in the WebAssembly program.This results in the first compositional static analysis for WebAssembly.On a set of 34 benchmark programs spanning 196kLOC of WebAssembly, we compute at least 64{\%} of the function summaries precisely in less than a minute in total.",
author = "Quentin Sti{\'e}venart and {De Roover}, Coen",
year = "2020",
month = "9",
day = "27",
language = "English",
pages = "13--24",
booktitle = "20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020",
publisher = "IEEE",

}

RIS

TY - GEN

T1 - Compositional Information Flow Analysis for WebAssembly Programs

AU - Stiévenart, Quentin

AU - De Roover, Coen

PY - 2020/9/27

Y1 - 2020/9/27

N2 - WebAssembly is a new W3C standard, providing a portable target for compilation for various languages.All major browsers can run WebAssembly programs, and its use extends beyond the web: there is interest in compiling cross-platform desktop applications, server applications, IoT and embedded applications to WebAssembly because of the performance and security guarantees it aims to provide.Indeed, WebAssembly has been carefully designed with security in mind.In particular, WebAssembly applications are sandboxed from their host environment.However, recent works have brought to light several limitations that expose WebAssembly to traditional attack vectors.Visitors of websites using WebAssembly have been exposed to malicious code as a result.In this paper, we propose an automated static program analysis to address these security concerns.Our analysis is focused on information flow and is compositional.For every WebAssembly function, it first computes a summary that describes in a sound manner where the information from its parameters and the global program state can flow to.These summaries can then be applied during the subsequent analysis of function calls.Through a classical fixed-point formulation, one obtains an approximation of the information flow in the WebAssembly program.This results in the first compositional static analysis for WebAssembly.On a set of 34 benchmark programs spanning 196kLOC of WebAssembly, we compute at least 64% of the function summaries precisely in less than a minute in total.

AB - WebAssembly is a new W3C standard, providing a portable target for compilation for various languages.All major browsers can run WebAssembly programs, and its use extends beyond the web: there is interest in compiling cross-platform desktop applications, server applications, IoT and embedded applications to WebAssembly because of the performance and security guarantees it aims to provide.Indeed, WebAssembly has been carefully designed with security in mind.In particular, WebAssembly applications are sandboxed from their host environment.However, recent works have brought to light several limitations that expose WebAssembly to traditional attack vectors.Visitors of websites using WebAssembly have been exposed to malicious code as a result.In this paper, we propose an automated static program analysis to address these security concerns.Our analysis is focused on information flow and is compositional.For every WebAssembly function, it first computes a summary that describes in a sound manner where the information from its parameters and the global program state can flow to.These summaries can then be applied during the subsequent analysis of function calls.Through a classical fixed-point formulation, one obtains an approximation of the information flow in the WebAssembly program.This results in the first compositional static analysis for WebAssembly.On a set of 34 benchmark programs spanning 196kLOC of WebAssembly, we compute at least 64% of the function summaries precisely in less than a minute in total.

M3 - Conference paper

SP - 13

EP - 24

BT - 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020, September 27-28, 2020

PB - IEEE

ER -

ID: 53757989