Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly

TL;DR

Fuzzm is a novel binary-only fuzzer for WebAssembly that detects memory vulnerabilities using canary instrumentation, enabling both vulnerability discovery and binary hardening with low overhead.

Contribution

This paper introduces Fuzzm, the first binary-only WebAssembly fuzzer that combines canary-based vulnerability detection with efficient coverage and input generation techniques.

Findings

Explored thousands of execution paths in real-world WebAssembly binaries.

Triggered dozens of crashes indicating potential vulnerabilities.

Prevented known exploits through binary hardening with low runtime overhead.

Abstract

WebAssembly binaries are often compiled from memory-unsafe languages, such as C and C++. Because of WebAssembly's linear memory and missing protection features, e.g., stack canaries, source-level memory vulnerabilities are exploitable in compiled WebAssembly binaries, sometimes even more easily than in native code. This paper addresses the problem of detecting such vulnerabilities through the first binary-only fuzzer for WebAssembly. Our approach, called Fuzzm, combines canary instrumentation to detect overflows and underflows on the stack and the heap, an efficient coverage instrumentation, a WebAssembly VM, and the input generation algorithm of the popular AFL fuzzer. Besides as an oracle for fuzzing, our canaries also serve as a stand-alone binary hardening technique to prevent the exploitation of vulnerable binaries in production. We evaluate Fuzzm with 28 real-world WebAssembly binaries, some compiled from source and some found in the wild without source code. The fuzzer explores thousands of execution paths, triggers dozens of crashes, and performs hundreds of program executions per second. When used for binary hardening, the approach prevents previously published exploits against vulnerable WebAssembly binaries while imposing low runtime overhead.