TL;DR
Wasmati is a static analysis tool that generates code property graphs for WebAssembly binaries to efficiently detect security vulnerabilities, addressing the increased attack surface from unsafe source languages.
Contribution
It formalizes the CPG for WebAssembly, introduces generation techniques, and develops query languages for vulnerability detection, demonstrating scalability and effectiveness.
Findings
Successfully generated CPGs for large WebAssembly applications
Detected multiple potential vulnerabilities in real-world binaries
Validated vulnerability findings through manual confirmation
Abstract
WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser's JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulnerabilities such as buffer overflows or format strings can be transferred over from the original programs down to the cross-compiled binaries. As a result, this possibility of incorporating vulnerabilities in WebAssembly modules has widened the attack surface of modern web applications. This paper presents Wasmati, a static analysis tool for finding security vulnerabilities in WebAssembly binaries. It is based on the generation of a code property graph (CPG), a program representation previously adopted for detecting vulnerabilities in various languages but hitherto unapplied to WebAssembly. We…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
