We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.CR

Change to browse by:

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Cryptography and Security

Title: The Security Risk of Lacking Compiler Protection in WebAssembly

Abstract: WebAssembly is increasingly used as the compilation target for cross-platform applications. In this paper, we investigate whether one can rely on the security measures enforced by existing C compilers when compiling C programs to WebAssembly. We compiled 4,469 C programs with known buffer overflow vulnerabilities to x86 code and to WebAssembly, and observed the outcome of the execution of the generated code to differ for 1,088 programs. Through manual inspection, we identified that the root cause for these is the lack of security measures such as stack canaries in the generated WebAssembly: while x86 code crashes upon a stack-based buffer overflow, the corresponding WebAssembly continues to be executed. We conclude that compiling an existing C program to WebAssembly without additional precautions may hamper its security, and we encourage more research in this direction.
Comments: The 21st IEEE International Conference on Software Quality, Reliability and Security (QRS 2021)
Subjects: Cryptography and Security (cs.CR); Programming Languages (cs.PL)
Cite as: arXiv:2111.01421 [cs.CR]
  (or arXiv:2111.01421v1 [cs.CR] for this version)

Submission history

From: Mohammad Ghafari [view email]
[v1] Tue, 2 Nov 2021 08:30:37 GMT (133kb)

Link back to: arXiv, form interface, contact.