Owi: Performant Parallel Symbolic Execution Made Easy, an Application to WebAssembly

TL;DR

Owi is a modular, high-performance symbolic interpreter for WebAssembly that effectively detects bugs in C and Rust programs, outperforming existing tools in certain scenarios and ensuring better bug detection accuracy.

Contribution

We introduce Owi, a novel monadic, modular symbolic execution tool for WebAssembly, demonstrating its effectiveness and scalability in bug detection for multi-language codebases.

Findings

Owi achieves performance comparable to state-of-the-art tools.

Owi detects bugs more accurately in certain scenarios.

Owi scales well with large benchmarks.

Abstract

In this paper, we present the design of Owi, a symbolic interpreter for WebAssembly written in OCaml, and how we used it to create a state-of-the-art tool to find bugs in programs combining C and Rust code. WebAssembly (Wasm) is a binary format for executable programs. Originally intended for web applications, Wasm is also considered a serious alternative for server-side runtimes and embedded systems due to its performance and security benefits. Despite its security guarantees and sandboxing capabilities, Wasm code is still vulnerable to buffer overflows and memory leaks, which can lead to exploits on production software. To help prevent those, different techniques can be used, including symbolic execution. Owi is built around a modular, monadic interpreter capable of both normal and symbolic execution of Wasm programs. Monads have been identified as a way to write modular interpreters since 1995 and this strategy has allowed us to build a robust and performant symbolic execution tool which our evaluation shows to be the best currently available for Wasm. Moreover, because WebAssembly is a compilation target for multiple languages (such as Rust and C), Owi can be used to find bugs in C and Rust code, as well as in codebases mixing the two. We demonstrate this flexibility through illustrative examples and evaluate its scalability via comprehensive experiments using the 2024 Test-Comp benchmarks. Results show that Owi achieves comparable performance to state-of-the-art tools like KLEE and Symbiotic, and exhibits advantages in specific scenarios where KLEE's approximations could lead to false negatives.