VMCanary: Effective Memory Protection for WebAssembly via Virtual Machine-assisted Approach | IEEE Conference Publication | IEEE Xplore
Scheduled Maintenance: On Monday, 30 June, IEEE Xplore will undergo scheduled maintenance from 1:00-2:00 PM ET (1800-1900 UTC).
On Tuesday, 1 July, IEEE Xplore will undergo scheduled maintenance from 1:00-5:00 PM ET (1800-2200 UTC).
During these times, there may be intermittent impact on performance. We apologize for any inconvenience.

VMCanary: Effective Memory Protection for WebAssembly via Virtual Machine-assisted Approach


Abstract:

WebAssembly is an emerging secure programming language and portable instruction set architecture, and has been deployed in diverse security-critical scenarios due to its ...Show More

Abstract:

WebAssembly is an emerging secure programming language and portable instruction set architecture, and has been deployed in diverse security-critical scenarios due to its safety advantages. However, WebAssembly’s linear memory is still vulnerable to buffer overflows due to the lack of effective protection mechanism, defeating its security guarantees. In this paper, we present VMCanary, the first framework for effective WebAssembly memory protection, by leveraging a canary approach but with the aid from WebAssembly virtual machines (VMs). Our key idea is that, due to the fact that WebAssembly is a managed programming language to be executed by underlying WebAssembly VMs, the VMs must understand any protection mechanisms already enforced in programs. With this key idea, we first propose the concept of canary in code, which is like a traditional canary in data but whose semantics is understandable by underlying WebAssembly VMs. To realize this kind of canary, we introduced two novel WebAssembly instructions by defining their semantics. Furthermore, we designed an instrumentation for WebAssembly binaries to instrument these two instructions automatically, hence no sources and compiler toolchain modifications are required. We have implemented a software prototype for VMCanary, and have conducted extensive experiment to evaluate it on micro benchmarks and 59 real-world CWEs. Experimental results demonstrated that VMCanary is effective in protecting Wasm memory with negligible overhead (3% on average).
Date of Conference: 22-26 October 2023
Date Added to IEEE Xplore: 25 December 2023
ISBN Information:

ISSN Information:

Conference Location: Chiang Mai, Thailand

I. Introduction

WebAssembly [1] (Wasm) is a novel binary instruction set architecture and code distribution format [2], designed with the goals of security, efficiency, and portability. In light of Wasm’s security promise, recent years have witnessed the successful deployments of Wasm in diverse security-critical domains such as edge computing [3], smart contracts [4], and so on. Hence, given its security design goal and wide adoptions, Wasm programs should be reliable and trustworthy. Despite the urgent need for security and reliability, recent studies [5] [6] [7] [8] [9] have demonstrated that Wasm programs are still vulnerable and exploitable, due to the defects in Wasm’s memory model design. Specifically, to protect function call stacks against buffer overflow attacks [10] [11] [12], Wasm introduced a novel design of linear memory containing a data stack to store aggregated local variables (e.g., buffers) in a function. In the meanwhile, Wasm utilized a separate control stack residing in the Wasm VM owned managed memory to store function return addresses, by leveraging the key idea of shadow stacks [13] [14] [15]. Unfortunately, while Wasm’s separation of data and control stacks effectively protected return address from being compromised, overflows on the data stack may still corrupt data on data stack frames or heaps [5], leading to the compromise of the whole system. Worse yet, vulnerabilities (e.g., buffer flows) written by unsafe language s may be propagated from sources to Wasm by the toolchain without being detected. Hence, developing an effective memory protection for Wasm is essential.

Contact IEEE to Subscribe

References

References is not available for this document.