TaintAssembly: Taint-Based Information Flow Control Tracking for WebAssembly

TL;DR

TaintAssembly is a taint tracking engine for WebAssembly integrated into V8, enabling detection of undesirable data flows with minimal performance overhead, aiding development and debugging.

Contribution

It introduces a novel taint tracking implementation for interpreted WebAssembly within V8, including basic and probabilistic taint models.

Findings

Minimal performance overhead compared to vanilla V8

Effective taint tracking for WebAssembly applications

Applicable for debugging and security analysis

Abstract

WebAssembly (wasm) has recently emerged as a promisingly portable, size-efficient, fast, and safe binary format for the web. As WebAssembly can interact freely with JavaScript libraries, this gives rise to a potential for undesirable behavior to occur. It is therefore important to be able to detect when this might happen. A way to do this is through taint tracking, where we follow the flow of information by applying taint labels to data. In this paper, we describe TaintAssembly, a taint tracking engine for interpreted WebAssembly, that we have created by modifying the V8 JavaScript engine. We implement basic taint tracking functionality, taint in linear memory, and a probabilistic variant of taint. We then benchmark our TaintAssembly engine by incorporating it into a Chromium build and running it on custom test scripts and various real world WebAssembly applications. We find that our modifications to the V8 engine do not incur significant overhead with respect to vanilla V8's interpreted WebAssembly, making TaintAssembly suitable for development and debugging.