WebAssembly Security

from Reversing to Vulnerability Research

4 Day u_long 32 CPE Hour Training: August 2021

## Abstract WebAssembly (**WASM**) is a new binary format currently developed and supported by all major web-browsers including Firefox, Chrome, Webkit/Safari and Microsoft Edge. This format has been designed to be "Efficient and fast", "Debuggable" and "Safe" and is often called the game changer for the web. WebAssembly is beginning to be used everywhere and for everything * Web-browsers (Desktop & Mobile) * Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers) * Video games (Unity, UE4) * Blockchain platforms (EOS, Ethereum, Dfinity) * Cryptojacking (Coinhive, Cryptoloot) * Linux Kernel (Cervus, Nebulet) * ... and more This course will give you all the prerequisites to understand what is a WebAssembly module and its associated runtime virtual machine. At the end of four intensive days, you will be able to statically and dynamically reverse a WebAssembly module, analyze its behavior, create specific detection rules and search for vulnerabilities. You will discover which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will search for vulnerabilities inside WebAssembly VMs (web browsers, standalone VM) using mutation and generation based fuzzing techniques. Students shall be presented with lots of hands-on exercises allowing them to internalize concepts and techniques taught in class. ## Key Learning Objectives * Learn what is WebAssembly and what’s inside a WebAssembly module. * Discover the architecture of the WebAssembly virtual machine. * Learn how to analyze statically and dynamically real-life WASM modules. * Discover how to hack video games running on your browsers using WebAssembly. * Learn how to find vulnerabilities inside WebAssembly module and how to exploit them. * Study and analyze the module validation mechanism to bypass it. * Learn how to apply mutation, grammar and evolutionary fuzzing on WebAssembly VM. * Discover how WebAssembly can help you in your day-to-day security work. ## Who Should Attend This class is meant for everyone that want to understand deeper how WebAssembly works such as: malware analysts dealing with cryptominers, professional pentester planning to audit WebAssembly module, developers or students looking to add WebAssembly in their skill-sets, blockchain auditors auditing EOS or Ethereum 2.0 smart contracts and finally vulnerability researchers looking for new targets (like web-browsers) will benefit from this course. ## Agenda #### Session 1: WebAssembly Reversing * Introduction to WebAssembly * WebAssembly VM architecture and toolchains * Writing examples in C/C++/Rust/C# * Module debugging * WASM binary format (header, sections, etc.) * WebAssembly Text Format (wat/wast) * WebAssembly Instructions set * Writing examples using WASM Text format * Reversing WebAssembly module * CFG and CallGraph reconstruction * DataFlowGraph analysis #### Session 2: Analysis of real-life WASM modules * Modules Instructions analytics/metrics * WebAssembly cryptominers analysis * Pattern detection signatures (YARA rules, etc.) * Taint Tracking * Dynamic Binary Instrumentation * Bytecode (De)-Obfuscation techniques * Static Single Assignment and Decompilation * Real-life WASM module analysis * WebAssembly video game hacking #### Session 3: WebAssembly Modules Vulnerabilities * Traps and Exception handling * WebAssembly module vulnerabilities * Integer/Stack/Heap Overflows * Advanced vulnerabilities (UaF, TOCTOU) * CFI Hijacking * Emscripten vulnerabilities * Exploiting NodeJS server running WASM module * Vulnerability detection (Static and Dynamic) * Lifting WASM bytecode * Fuzzing WebAssembly modules #### Session 4: Vulnerability Research inside WebAssembly VM * Web-Browsers vulnerabilities analysis (CVEs PoC) * WebAssembly VM and Interpreter vulnerabilities * WebAssembly JS APIs generation * Fuzzing Web-Browsers (Chrome, Firefox, WebKit) * WASM module validation mechanism * Writing edge case modules * WAT, WAST & WASM generation using grammars * Interesting VM targets (kernel, blockchain, etc.) * Fuzzing C/C++/Rust/Go based WebAssembly projects * WebAssembly applied for Security Researcher toolings * In-memory fuzzing everything using WebAssembly and Frida ## Prerequisites * Basic reverse engineering skills. * Familiarity with scripting (Python, Bash). * Familiarity with C/C++ or Rust programming. * SKILL LEVEL: BEGINNER / INTERMEDIATE ## Laptop Requirements * A working laptop capable of running virtual machines * 8GB RAM required, at a minimum * 40 GB free Hard disk space * VirtualBox * Administrator / root access MANDATORY * IDA Pro would be helpful but not required
Patrick Ventuzelo

Patrick Ventuzelo

Register Now

Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, reverse engineering and program analysis. He is the creator of two trainings namely "WebAssembly Security" and "Rust Security". Patrick is also the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple blockchain smart contract to help researchers perform closed-source bytecode analysis. Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity. Patrick has been speaker and trainer at various international conferences such as REcon Montreal/Brussels, Toorcon, hack.lu, NorthSec, FIRST, Microsoft DCC, SSTIC, BlackAlps, Devcon, etc.