OWASP LA Monthly Virtual Meeting - Nov 25, 2020

Come join us as we hear from another exciting presenter!
TOPIC: Everything Old is New Again: Binary Security of WebAssembly

NOTE: Presentation Link will be emailed (via meetup) the day before and on day of the event to all those who have RSVP'd)

ABSTRACT: WebAssembly is an increasingly popular, low-level binary format designed to run code in browsers and on other platforms safely and securely, by strictly separating code and data, enforcing types, and limiting indirect control flow. Still, vulnerabilities in memory-unsafe source languages can translate to vulnerabilities in WebAssembly binaries. We have analyzed to what extent vulnerabilities are exploitable in WebAssembly binaries, and how this compares to native code. We find that many classic vulnerabilities which, due to common mitigations, are no longer exploitable in native binaries, are completely exposed in WebAssembly. Moreover, WebAssembly enables unique attacks, such as overwriting supposedly constant data or manipulating the heap using a stack overflow. In this talk, we will explain several attack primitives that allow an attacker (i) to write arbitrary memory, (ii) to overwrite sensitive data, and (iii) to trigger unexpected behavior by diverting control flow or manipulating the host environment. This can ultimately lead to new forms of cross-site scripting in the browser or remote code execution on Node.js. We will also demonstrate one of three end-to-end exploits, which cover three different WebAssembly platforms. In our quantitative evaluation of real-world WebAssembly binaries, we also measure how likely our attack primitives are feasible in practice. Overall, our findings show a perhaps surprising lack of binary security in WebAssembly. Finally, we will discuss some potential mitigations and give recommendations on how to harden WebAssembly binaries in the future.

BIO: Daniel is a third-year PhD student at University of Stuttgart, Germany, interested in security, programming languages, program analysis, and automated testing. He graduated with a master's degree in computer science and another one in IT security from TU Darmstadt, Germany, and peeked into industry during two internships: with Oracle Labs in the bay area, and with Microsoft Research in Redmond. He is the main developer behind Wasabi (http://wasabi.software-lab.org/), a generic dynamic analysis framework for WebAssembly binaries, and currently works on WebAssembly security (this talk) and static analysis (ongoing). Previous research projects include automatic testing of interactive JavaScript debuggers (found >25 bugs in Firefox and Chrome) and of REST APIs (at Microsoft Research). His bachelor thesis on novel attacks against coarse-grained control-flow integrity defenses was presented at BlackHat Briefings USA. For contact information, check out http://software-lab.org/people/Daniel_Lehmann.html.

Meeting info will be emailed to you shortly prior to the event - BE SURE TO RSVP to receive the email containing the link

ATTENTION SPONSORS: YOUR NAME COULD BE HERE
Check out sponsorship opportunities here
https://www.eventbrite.com/e/owasp-los-angeles-chapter-meeting-sponsorship-tickets-30572600471