Lost in the Pages: WebAssembly Code Recovery through SEV-SNP's Exposed Address Space

TL;DR

This paper presents a novel attack exploiting exposed address space in TEEs to recover over 70% of WebAssembly code, significantly surpassing previous methods limited to Intel SGX.

Contribution

It introduces a new WebAssembly code confidentiality attack leveraging TEE address space exposure, extending prior work beyond Intel SGX.

Findings

Achieves over 70% code recovery in most cases

Surpasses previous SGX-based code extraction limits

Demonstrates vulnerability of WebAssembly in TEEs

Abstract

WebAssembly (Wasm) has risen as a widely used technology to distribute computing workloads on different platforms. The platform independence offered through Wasm makes it an attractive solution for many different applications that can run on disparate infrastructures. In addition, Trusted Execution Environments (TEEs) are offered in many computing infrastructures, which allows also running security sensitive Wasm workloads independent of the specific platforms offered. However, recent work has shown that Wasm binaries are more sensitive to code confidentiality attacks than native binaries. The previous result was obtained for Intel SGX only. In this paper, we take this one step further, introducing a new Wasm code-confidentiality attack that exploits exposed address-space information in TEEs. Our attack enables the extraction of crucial execution features which, when combined with additional side channels, allows us to with high reliability obtain more than 70% of the code in most cases. This is a considerably larger amount than was previously obtained by single stepping Intel SGX where only upwards to 50% of the code could be obtained.