I. Introduction
WebAssembly [1] (Wasm) is a novel binary instruction set architecture and code distribution format [2], designed with the goals of security, efficiency, and portability. In light of Wasm’s security promise, recent years have witnessed the successful deployments of Wasm in diverse security-critical domains such as edge computing [3], smart contracts [4], and so on. Hence, given its security design goal and wide adoptions, Wasm programs should be reliable and trustworthy. Despite the urgent need for security and reliability, recent studies [5] [6] [7] [8] [9] have demonstrated that Wasm programs are still vulnerable and exploitable, due to the defects in Wasm’s memory model design. Specifically, to protect function call stacks against buffer overflow attacks [10] [11] [12], Wasm introduced a novel design of linear memory containing a data stack to store aggregated local variables (e.g., buffers) in a function. In the meanwhile, Wasm utilized a separate control stack residing in the Wasm VM owned managed memory to store function return addresses, by leveraging the key idea of shadow stacks [13] [14] [15]. Unfortunately, while Wasm’s separation of data and control stacks effectively protected return address from being compromised, overflows on the data stack may still corrupt data on data stack frames or heaps [5], leading to the compromise of the whole system. Worse yet, vulnerabilities (e.g., buffer flows) written by unsafe language s may be propagated from sources to Wasm by the toolchain without being detected. Hence, developing an effective memory protection for Wasm is essential.