research-article

Security risks of porting C programs to webassembly

Authors:

Quentin Stiévenart,

Coen De Roover,

Mohammad GhafariAuthors Info & Claims

SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Pages 1713 - 1722

https://doi.org/10.1145/3477314.3507308

Published: 06 May 2022 Publication History

Abstract

WebAssembly is a compilation target for cross-platform applications that is increasingly being used. In this paper, we investigate whether one can transparently cross-compile C programs to WebAssembly, and if not, what impact porting can have on their security. We compile 17 802 programs that exhibit common vulnerabilities to 64-bit x86 and to WebAssembly binaries, and we observe that the execution of 4 911 binaries produces different results across these platforms. Through manual inspection, we identify three classes of root causes for such differences: the use of a different standard library implementation, the lack of security measures in WebAssembly, and the different semantics of the execution environments. We describe our observations and discuss the ones that are critical from a security point of view and need most attention from developers. We conclude that compiling an existing C program to WebAssembly for cross-platform distribution may require source code adaptations; otherwise, the security of the WebAssembly application may be at risk.

References

[1]

[n.d.]. Wasmer: The leading WebAssembly Runtime supporting WASI and Emscripten. https://github.com/wasmerio/wasmer, last accessed on 2021/08/16.

[2]

[n.d.]. WebAssembly: Security. https://webassembly.org/docs/security/, last accessed on 2021/08/16.

[3]

Tim Boland and Paul E Black. 2012. Juliet 1.1 C/C++ and Java test suite. Computer 45, 10 (2012), 88--90.

Digital Library

[4]

Noah Bühlmann and Mohammad Ghafari. 2022. How Do Developers Deal with Security Issue Reports on GitHub?. In The 37th ACM/SIGAPP Symposium on Applied Computing (SAC).

Digital Library

[5]

Javier Cabrera-Arteaga, Orestis Floros Malivitsis, Oscar Luis Vera-Pérez, Benoit Baudry, and Martin Monperrus. 2020. CROW: Code Diversification for WebAssembly. CoRR abs/2008.07185 (2020). arXiv:2008.07185 https://arxiv.org/abs/2008.07185

[6]

Thomas Charest, Nick Rodgers, and Yan Wu. 2016. Comparison of static analysis tools for Java using the Juliet test suite. In 11th International Conference on Cyber Warfare and Security. 431--438.

[7]

Craig Disselkoen, John Renner, Conrad Watt, Tal Garfinkel, Amit Levy, and Deian Stefan. 2019. Position paper: Progressive memory safety for webassembly. In Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy. 1--8.

Digital Library

[8]

Pascal Gadient, Mohammad Ghafari, Patrick Frischknecht, and Oscar Nierstrasz. 2018. Security code smells in Android ICC. Empirical Software Engineering 24, 5 (2018), 3046--3076.

Digital Library

[9]

Pascal Gadient, Mohammad Ghafari, Marc-Andrea Tarnutzer, and Oscar Nierstrasz. 2020. Web APIs in Android through the Lens of Security. In 27th International Conference on Software Analysis, Evolution and Reengineering (SANER). 13--22.

[10]

Pascal Gadient, Oscar Nierstrasz, and Mohammad Ghafari. 2021. Security Header Fields in HTTP Clients. In The 21st IEEE International Conference on Software Quality, Reliability and Security (QRS 2021).

[11]

Mohammad Ghafari, Pascal Gadient, and Oscar Nierstrasz. 2017. Security smells in Android. In 17th International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, 121--130.

[12]

Andreas Haas, Andreas Rossberg, Derek L. Schuff, Ben L. Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and J. F. Bastien. 2017. Bringing the web up to speed with WebAssembly. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017. 185--200.

[13]

Adam Hall and Umakishore Ramachandran. 2019. An execution model for serverless functions at the edge. In Proceedings of the International Conference on Internet of Things Design and Implementation, IoTDI 2019. 225--236.

Digital Library

[14]

Mohammadreza Hazhirpasand, Mohammad Ghafari, and Oscar Nierstrasz. 2020. Java Cryptography Uses in the Wild. In Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (Bari, Italy) (ESEM '20). Article 40, 6 pages.

Digital Library

[15]

Aaron Hilbig, Daniel Lehmann, and Michael Pradel. 2021. An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases. In WWW '21: The Web Conference 2021, Jure Leskovec, Marko Grobelnik, Marc Najork, Jie Tang, and Leila Zia (Eds.). ACM / IW3C2, 2696--2708.

Digital Library

[16]

Vu Le, Mehrdad Afshari, and Zhendong Su. 2014. Compiler validation via equivalence modulo inputs. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom - June 09 - 11, 2014, Michael F. P. O'Boyle and Keshav Pingali (Eds.). ACM, 216--226.

Digital Library

[17]

Daniel Lehmann, Johannes Kinder, and Michael Pradel. 2020. Everything Old is New Again: Binary Security of Web Assembly. In 29th USENIX Security Symposium, USENIX Security 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 217--234. https://www.usenix.org/conference/usenixsecurity20/presentation/lehmann

[18]

Brian McFadden, Tyler Lukasiewicz, Jeff Dileo, and Justin Engler. 2018. Security Chasms of WASM.

[19]

Jämes Ménétrey, Marcelo Pasin, Pascal Felber, and Valerio Schiavoni. 2021. Twine: An Embedded Trusted Runtime for WebAssembly. In 37th IEEE International Conference on Data Engineering, ICDE 2021, Chania, Greece, April 19--22, 2021. IEEE, 205--216.

[20]

Jan Midtgaard, Mathias Nygaard Justesen, Patrick Kasting, Flemming Nielson, and Hanne Riis Nielson. 2017. Effect-driven QuickChecking of compilers. Proc. ACM Program. Lang. 1, ICFP (2017), 15:1--15:23.

Digital Library

[21]

Kedar S. Namjoshi and Anton Xue. 2021. A Self-certifying Compilation Framework for WebAssembly. In Verification, Model Checking, and Abstract Interpretation - 22nd International Conference, VMCAI 2021 (Lecture Notes in Computer Science, Vol. 12597), Fritz Henglein, Sharon Shoham, and Yakir Vizel (Eds.). Springer, 127--148.

Digital Library

[22]

Shravan Narayan, Craig Disselkoen, Daniel Moghimi, Sunjay Cauligi, Evan Johnson, Zhao Gang, Anjo Vahldiek-Oberwagner, Ravi Sahita, Hovav Shacham, Dean M. Tullsen, and Deian Stefan. 2021. Swivel: Hardening WebAssembly against Spectre. In 30th USENIX Security Symposium, USENIX Security 2021, August 11--13, 2021, Michael Bailey and Rachel Greenstadt (Eds.). USENIX Association, 1433--1450. https://www.usenix.org/conference/usenixsecurity21/presentation/narayan

[23]

Manuel Nieke, Lennart Almstedt, and Rüdiger Kapitza. 2021. Edgedancer: Secure Mobile WebAssembly Services on the Edge. In EdgeSys@EuroSys 2021: 4th International Workshop on Edge Systems, Analytics and Networking, Online Event, United Kingdom, April 26, 2021, Aaron Yi Ding and Richard Mortier (Eds.). ACM, 13--18.

Digital Library

[24]

Árpád Perényi and Jan Midtgaard. 2020. Stack-Driven Program Generation of WebAssembly. In Programming Languages and Systems - 18th Asian Symposium, APLAS 2020, Fukuoka, Japan, November 30 - December 2, 2020, Proceedings (Lecture Notes in Computer Science, Vol. 12470), Bruno C. d. S. Oliveira (Ed.). Springer, 209--230.

Digital Library

[25]

Alan Romano, Xinyue Liu, Yonghwi Kwon, and Weihang Wang. 2021. An Empirical Study of Bugs in WebAssembly Compilers. (2021).

[26]

Andreas Rossberg. 2020. WebAssembly Core Specification. https://www.w3.org/TR/wasm-core-1/.

[27]

Quentin Stiévenart and Coen De Roover. 2020. Compositional Information Flow Analysis for WebAssembly Programs. In 20th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2020. IEEE, 13--24.

[28]

Quentin Stiévenart and Coen De Roover. 2021. Wassail: a WebAssembly Static Analysis Library. In Fifth International Workshop on Programming Technology for the Future Web.

[29]

Quentin Stiévenart and Magnus Madsen. 2020. Fuzzing channel-based concurrency runtimes using types and effects. Proc. ACM Program. Lang. 4, OOPSLA (2020), 186:1--186:27.

Digital Library

[30]

Quentin Stiévenart, Coen De Roover, and Mohammad Ghafari. 2021. The Security Risk of Lacking Compiler Protection in WebAssembly. In 21st IEEE International Conference on Software Quality, Reliability and Security, QRS 2021.

[31]

Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, Mary W. Hall and David A. Padua (Eds.). ACM, 283--294.

Digital Library

Cited By

Kavian APourhashem Kallehbasti MKazemi SFirouzi EGhafari M(2024)LLM Security Guard for CodeProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661263(600-603)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661263
Cao SHe NShe XZhang YZhang MWang HChristakis MPradel M(2024)WASMaker: Differential Testing of WebAssembly Runtimes via Semantic-Aware Binary GenerationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680358(1262-1273)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680358
Zhuang JJiang HHua B(2024)WasmChecker: Effectively Detecting WebAssembly Bugs via Static Program Analysis2024 8th International Conference on Electrical, Mechanical and Computer Engineering (ICEMCE)10.1109/ICEMCE64157.2024.10861926(1669-1678)Online publication date: 25-Oct-2024
https://doi.org/10.1109/ICEMCE64157.2024.10861926
Show More Cited By

Index Terms

Security risks of porting C programs to webassembly
1. Security and privacy
2. Software and its engineering
  1. Software notations and tools
    1. Compilers
    2. General programming languages
      1. Language types
        Assembly languages

Recommendations

Understanding the performance of webassembly applications
IMC '21: Proceedings of the 21st ACM Internet Measurement Conference

WebAssembly is the newest language to arrive on the web. It features a compact binary format, making it fast to be loaded and decoded. While WebAssembly is generally expected to be faster than JavaScript, there have been mixed results in proving which ...
Accelerate JavaScript applications by cross-compiling to WebAssembly
VMIL 2017: Proceedings of the 9th ACM SIGPLAN International Workshop on Virtual Machines and Intermediate Languages

Although the performance of today's JavaScript engines is sufficient for most web applications, faster and more predictable runtimes could be desired for performance-critical web code. Therefore, we present Speedy.js, a cross-compiler that translates ...
Learn WebAssembly: Build web applications with native performance using Wasm and C/C++

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

April 2022

2099 pages

ISBN:9781450387132

DOI:10.1145/3477314

Conference Chairs:
Jiman Hong
Soongsil University
,
Miroslav Bures
Czech Technical University, Czechia
,
Program Chairs:
Juw Won Park
University of Louisville
,
Tomas Cerny
Baylor University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 May 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Fonds Wetenschappelijk Onderzoek

Conference

SAC '22

Sponsor:

SIGAPP

SAC '22: The 37th ACM/SIGAPP Symposium on Applied Computing

April 25 - 29, 2022

Virtual Event

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
430
Total Downloads

Downloads (Last 12 months)119
Downloads (Last 6 weeks)11

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kavian APourhashem Kallehbasti MKazemi SFirouzi EGhafari M(2024)LLM Security Guard for CodeProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661263(600-603)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661263
Cao SHe NShe XZhang YZhang MWang HChristakis MPradel M(2024)WASMaker: Differential Testing of WebAssembly Runtimes via Semantic-Aware Binary GenerationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680358(1262-1273)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680358
Zhuang JJiang HHua B(2024)WasmChecker: Effectively Detecting WebAssembly Bugs via Static Program Analysis2024 8th International Conference on Electrical, Mechanical and Computer Engineering (ICEMCE)10.1109/ICEMCE64157.2024.10861926(1669-1678)Online publication date: 25-Oct-2024
https://doi.org/10.1109/ICEMCE64157.2024.10861926
Ray P(2023)An Overview of WebAssembly for IoT: Background, Tools, State-of-the-Art, Challenges, and Future DirectionsFuture Internet10.3390/fi1508027515:8(275)Online publication date: 18-Aug-2023
https://doi.org/10.3390/fi15080275
Lei HZhang ZZhang SJiang PZhong ZHe NLi DGuo YChen XMeng WJensen CCremers CKirda E(2023)Put Your Memory in Order: Efficient Domain-based Memory Isolation for WASM ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623205(904-918)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623205
Nicholson AStiévenart QMazidi AGhafari M(2023)Wasmizer: Curating WebAssembly-driven Projects on GitHub2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR)10.1109/MSR59073.2023.00031(130-141)Online publication date: May-2023
https://doi.org/10.1109/MSR59073.2023.00031
Stiévenart QBinkley DDe Roover C(2023)Dynamic Slicing of WebAssembly Binaries2023 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58846.2023.00020(84-96)Online publication date: 1-Oct-2023
https://doi.org/10.1109/ICSME58846.2023.00020
Song SPark SKwon D(2023)metaSafer: A Technique to Detect Heap Metadata Corruption in WebAssemblyIEEE Access10.1109/ACCESS.2023.332781711(124887-124898)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3327817
Cao SHe NGuo YWang H(2023)BREWasm: A General Static Binary Rewriting Framework for WebAssemblyStatic Analysis10.1007/978-3-031-44245-2_8(139-163)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-44245-2_8
Andre PStievenart QGhafari M(2022)Developers Struggle with Authentication in Blazor WebAssembly2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME55016.2022.00045(389-393)Online publication date: Oct-2022
https://doi.org/10.1109/ICSME55016.2022.00045

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten