Projects per year
Abstract
WebAssembly is increasingly used as the compilation target for cross-platform applications.
In this paper, we investigate whether one can rely on the security measures enforced by existing C compilers when compiling C programs to WebAssembly.
We compiled 4,469 C programs with known buffer overflow vulnerabilities to x86 code and to WebAssembly, and observed the outcome of the execution of the generated code to differ for 1,088 programs.
Through manual inspection, we identified that the root cause for these is the lack of security measures such as stack canaries in the generated
WebAssembly: while x86 code crashes upon a stack-based buffer overflow,
the corresponding WebAssembly continues to be executed.
We conclude that compiling an existing C program to WebAssembly without additional precautions may hamper its security, and we encourage more research in this direction.
In this paper, we investigate whether one can rely on the security measures enforced by existing C compilers when compiling C programs to WebAssembly.
We compiled 4,469 C programs with known buffer overflow vulnerabilities to x86 code and to WebAssembly, and observed the outcome of the execution of the generated code to differ for 1,088 programs.
Through manual inspection, we identified that the root cause for these is the lack of security measures such as stack canaries in the generated
WebAssembly: while x86 code crashes upon a stack-based buffer overflow,
the corresponding WebAssembly continues to be executed.
We conclude that compiling an existing C program to WebAssembly without additional precautions may hamper its security, and we encourage more research in this direction.
Original language | English |
---|---|
Title of host publication | Proceedings - 2021 21st International Conference on Software Quality, Reliability and Security, QRS 2021 |
Publisher | IEEE |
Pages | 132-139 |
Number of pages | 8 |
ISBN (Electronic) | 978-1-6654-5813-9 |
DOIs | |
Publication status | Published - 2021 |
Event | 21st IEEE International Conference on Software Quality, Reliability, and Security - Duration: 6 Dec 2021 → 10 Dec 2021 Conference number: 2021 https://qrs21.techconf.org/ |
Publication series
Name | IEEE International Conference on Software Quality, Reliability and Security, QRS |
---|---|
Volume | 2021-December |
ISSN (Print) | 2693-9177 |
Conference
Conference | 21st IEEE International Conference on Software Quality, Reliability, and Security |
---|---|
Abbreviated title | QRS |
Period | 6/12/21 → 10/12/21 |
Internet address |
Bibliographical note
Publisher Copyright:© 2021 IEEE.
Copyright:
Copyright 2023 Elsevier B.V., All rights reserved.
Fingerprint
Dive into the research topics of 'The Security Risk of Lacking Compiler Protection in WebAssembly'. Together they form a unique fingerprint.Projects
- 1 Active
-
VLAAI2: Cybersecurity Research Program Flanders – second cycle
De Meuter, W., Braeken, A., Devriese, D., Gonzalez Boix, E. & De Roover, C.
1/01/24 → 31/12/28
Project: Applied