Security Risks of Porting C Programs to WebAssembly

Quentin Stiévenart; Coen De Roover; Mohammad Ghafari

doi:10.1145/3477314.3507308

Security Risks of Porting C Programs to WebAssembly

Quentin Stiévenart, Coen De Roover, Mohammad Ghafari

Research output: Chapter in Book/Report/Conference proceeding › Conference paper

4 Citations (Scopus)

105 Downloads (Pure)

Abstract

WebAssembly is a compilation target for cross-platform applications that is increasingly being used. In this paper, we investigate whether one can transparently cross-compile C programs to WebAssembly, and if not, what impact porting can have on their security. We compile 17 802 programs that exhibit common vulnerabilities to 64-bit x86 and to WebAssembly binaries, and we observe that the execution of 4 911 binaries produces different results across these platforms. Through manual inspection, we identify three classes of root causes for such differences: the use of a different standard library implementation, the lack of security measures in WebAssembly, and the different semantics of the execution environments. We describe our observations and discuss the ones that are critical from a security point of view and need most attention from developers. We conclude that compiling an existing C program to WebAssembly for cross-platform distribution may require source code adaptations; otherwise, the security of the WebAssembly application may be at risk.

Original language	English
Title of host publication	Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022
Publisher	ACM
Pages	1713-1722
Number of pages	10
ISBN (Electronic)	9781450387132
DOIs	https://doi.org/10.1145/3477314.3507308
Publication status	Published - 25 Apr 2022
Event	The 37th ACM/SIGAPP Symposium On Applied Computing - Virtual Duration: 25 Apr 2022 → 29 Apr 2022 https://www.sigapp.org/sac/sac2022/

Publication series

Name	Proceedings of the ACM Symposium on Applied Computing

Conference

Conference	The 37th ACM/SIGAPP Symposium On Applied Computing
Abbreviated title	SAC 2022
Period	25/04/22 → 29/04/22
Internet address	https://www.sigapp.org/sac/sac2022/

Bibliographical note

Publisher Copyright:
© 2022 ACM.

Copyright:
Copyright 2022 Elsevier B.V., All rights reserved.

Access to Document

10.1145/3477314.3507308

WebAssembly_Security_2__SAC_Accepted author manuscript, 578 KB

Cite this

@inproceedings{ca10751788d14007b8fb77d53be62c50,

title = "Security Risks of Porting C Programs to WebAssembly",

abstract = "WebAssembly is a compilation target for cross-platform applications that is increasingly being used. In this paper, we investigate whether one can transparently cross-compile C programs to WebAssembly, and if not, what impact porting can have on their security. We compile 17 802 programs that exhibit common vulnerabilities to 64-bit x86 and to WebAssembly binaries, and we observe that the execution of 4 911 binaries produces different results across these platforms. Through manual inspection, we identify three classes of root causes for such differences: the use of a different standard library implementation, the lack of security measures in WebAssembly, and the different semantics of the execution environments. We describe our observations and discuss the ones that are critical from a security point of view and need most attention from developers. We conclude that compiling an existing C program to WebAssembly for cross-platform distribution may require source code adaptations; otherwise, the security of the WebAssembly application may be at risk.",

author = "Quentin Sti{\'e}venart and {De Roover}, Coen and Mohammad Ghafari",

note = "Publisher Copyright: {\textcopyright} 2022 ACM. Copyright: Copyright 2022 Elsevier B.V., All rights reserved.; The 37th ACM/SIGAPP Symposium On Applied Computing, SAC 2022 ; Conference date: 25-04-2022 Through 29-04-2022",

year = "2022",

month = apr,

day = "25",

doi = "10.1145/3477314.3507308",

language = "English",

series = "Proceedings of the ACM Symposium on Applied Computing",

publisher = "ACM",

pages = "1713--1722",

booktitle = "Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022",

url = "https://www.sigapp.org/sac/sac2022/",

}

TY - GEN

T1 - Security Risks of Porting C Programs to WebAssembly

AU - Stiévenart, Quentin

AU - De Roover, Coen

AU - Ghafari, Mohammad

PY - 2022/4/25

Y1 - 2022/4/25

N2 - WebAssembly is a compilation target for cross-platform applications that is increasingly being used. In this paper, we investigate whether one can transparently cross-compile C programs to WebAssembly, and if not, what impact porting can have on their security. We compile 17 802 programs that exhibit common vulnerabilities to 64-bit x86 and to WebAssembly binaries, and we observe that the execution of 4 911 binaries produces different results across these platforms. Through manual inspection, we identify three classes of root causes for such differences: the use of a different standard library implementation, the lack of security measures in WebAssembly, and the different semantics of the execution environments. We describe our observations and discuss the ones that are critical from a security point of view and need most attention from developers. We conclude that compiling an existing C program to WebAssembly for cross-platform distribution may require source code adaptations; otherwise, the security of the WebAssembly application may be at risk.

AB - WebAssembly is a compilation target for cross-platform applications that is increasingly being used. In this paper, we investigate whether one can transparently cross-compile C programs to WebAssembly, and if not, what impact porting can have on their security. We compile 17 802 programs that exhibit common vulnerabilities to 64-bit x86 and to WebAssembly binaries, and we observe that the execution of 4 911 binaries produces different results across these platforms. Through manual inspection, we identify three classes of root causes for such differences: the use of a different standard library implementation, the lack of security measures in WebAssembly, and the different semantics of the execution environments. We describe our observations and discuss the ones that are critical from a security point of view and need most attention from developers. We conclude that compiling an existing C program to WebAssembly for cross-platform distribution may require source code adaptations; otherwise, the security of the WebAssembly application may be at risk.

UR - http://www.scopus.com/inward/record.url?scp=85130345430&partnerID=8YFLogxK

U2 - 10.1145/3477314.3507308

DO - 10.1145/3477314.3507308

M3 - Conference paper

T3 - Proceedings of the ACM Symposium on Applied Computing

SP - 1713

EP - 1722

BT - Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022

PB - ACM

T2 - The 37th ACM/SIGAPP Symposium On Applied Computing

Y2 - 25 April 2022 through 29 April 2022

ER -

Security Risks of Porting C Programs to WebAssembly

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

VLAAI2: Subsidie Onderzoeksprogramma "Cybersecurity Initiative Flanders"

Cite this

Security Risks of Porting C Programs to WebAssembly

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

Projects

VLAAI2: Subsidie Onderzoeksprogramma "Cybersecurity Initiative Flanders"

Cite this