Computer Systems & Security Group, USTC

Home
Publications
Projects
Courses
Members

SafeAssembly: WebAssembly Security Study

Overview:

WebAssembly is an emerging binary instruction set architecture and code distribution format, providing a unified compiling target for high-level programming languages. Due to its design advantages such as efficiency, security and portability, WebAssembly has already been widely used in the Web and non-Web scenarios. First, in the Web domain, WebAssembly has become the fourth Web language standard specification after HTML, CSS, and JavaScript, and has been supported by all major browsers. Second, with the advent of WebAssembly System Interface (WASI) technology, WebAssembly programs can interact directly with the underlying operating system by calling native functions, which enables WebAssembly programs to work independently of the browser and directly on the host, cloud, or edge computing environments. With the rapid growth of the WebAssembly ecosystem and application areas, WebAssembly is expected to become one of the most important common binary code formats in the future.

Although WebAssembly was designed to emphasize and ensure security by introducing a variety of security features, the results of existing research on WebAssembly security show that the features of WebAssembly also introduce new security risks and attack surfaces, leading to many new security issues. These security issues are spread across all levels of the WebAssembly ecosystem: high-level language support, compilation toolchains, binary formats, programming language virtual machines.

The goal of the SafeAssembly project is to investigate the security of WebAssembly ecosystem. To be specific, this project aims to:

  • systematic study of security issues at all levels of the WebAssembly ecosystem;
  • propose theories and frameworks for detecting and repairing vulnerabilities in the WebAssembly ecosystem;
  • develop practical software prototypes.
Publications:
  • A Survey of WebAssembly Security
  • An Empirical Study of Bugs in WebAssembly Virtual Machines
Members:
  • Qiliang Fan
  • Shuang Hu
  • Baojian Hua
  • Xinrong Lin
  • Zhizhong Pan
  • Meng Wu
  • Wenlong Zheng
  • Junjie Zhuang