SeeWasm: An Efficient and Fully-Functional Symbolic Execution Engine for WebAssembly Binaries

TL;DR

SeeWasm is a new symbolic execution engine for WebAssembly binaries that supports all features, requires no manual intervention, and significantly speeds up vulnerability analysis, leading to the discovery of numerous security issues.

Contribution

It introduces SeeWasm, the first fully-functional, platform-independent symbolic executor for WebAssembly that improves efficiency and usability over existing tools.

Findings

Supports full WebAssembly features without manual intervention

Accelerates analysis by 2 to 6 times compared to existing tools

Discovered over 30 zero-day vulnerabilities in real-world applications

Abstract

WebAssembly (Wasm), as a compact, fast, and isolation-guaranteed binary format, can be compiled from more than 40 high-level programming languages. However, vulnerabilities in Wasm binaries could lead to sensitive data leakage and even threaten their hosting environments. To identify them, symbolic execution is widely adopted due to its soundness and the ability to automatically generate exploitations. However, existing symbolic executors for Wasm binaries are typically platform-specific, which means that they cannot support all Wasm features. They may also require significant manual interventions to complete the analysis and suffer from efficiency issues as well. In this paper, we propose an efficient and fully-functional symbolic execution engine, named SeeWasm. Compared with existing tools, we demonstrate that SeeWasm supports full-featured Wasm binaries without further manual intervention, while accelerating the analysis by 2 to 6 times. SeeWasm has been adopted by existing works to identify more than 30 0-day vulnerabilities or security issues in well-known C, Go, and SGX applications after compiling them to Wasm binaries.