Visible to the public Compositional Information Flow Analysis for WebAssembly Programs

Submitted by aekwall on Fri, 08/12/2022 - 3:10pm
TitleCompositional Information Flow Analysis for WebAssembly Programs
Publication TypeConference Paper
Year of Publication2020
AuthorsStiévenart, Quentin, Roover, Coen De
Conference Name2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)
Date Publishedsep
Keywordscomposabiity, Human Behavior, Malware, pubcrawl, Resiliency, security, Servers, Standards, static analysis, static program analysis, Tools, W3C Standards, Webassembly
AbstractWebAssembly is a new W3C standard, providing a portable target for compilation for various languages. All major browsers can run WebAssembly programs, and its use extends beyond the web: there is interest in compiling cross-platform desktop applications, server applications, IoT and embedded applications to WebAssembly because of the performance and security guarantees it aims to provide. Indeed, WebAssembly has been carefully designed with security in mind. In particular, WebAssembly applications are sandboxed from their host environment. However, recent works have brought to light several limitations that expose WebAssembly to traditional attack vectors. Visitors of websites using WebAssembly have been exposed to malicious code as a result. In this paper, we propose an automated static program analysis to address these security concerns. Our analysis is focused on information flow and is compositional. For every WebAssembly function, it first computes a summary that describes in a sound manner where the information from its parameters and the global program state can flow to. These summaries can then be applied during the subsequent analysis of function calls. Through a classical fixed-point formulation, one obtains an approximation of the information flow in the WebAssembly program. This results in the first compositional static analysis for WebAssembly. On a set of 34 benchmark programs spanning 196kLOC of WebAssembly, we compute at least 64% of the function summaries precisely in less than a minute in total.
DOI10.1109/SCAM51674.2020.00007
Citation Keystievenart_compositional_2020
Groups: