WASMDYPA: Effectively Detecting WebAssembly Bugs via Dynamic Program Analysis

WASMDYPA: Effectively Detecting WebAssembly Bugs via Dynamic Program Analysis

연구 분야: Analysis

학회: 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

Safe binary execution is often a crucial requirement in today's security critical computing infrastructures. WebAssembly is an emerging language designed for safe binary execution that has been deployed in many security critical domains, such as blockchain, edge computing, and clouds. However, WebAssembly's security guarantee is not a cure-all, and recent studies have revealed a large spectrum of security issues such as integer overflows and memory vulnerabilities, leading to serious security hazards to WebAssembly applications. In this paper, we propose the first automated bug detection framework for WebAssembly programs based on dynamic program analysis, directly on WebAssembly binaries. To realize the whole process, we present WASMDYPA, the dynamic bug detection system, consisting of three primary components: 1) an input generator for WebAssembly binaries; 2) a static instrumentation hook providing extensible interfaces to collect runtime information; and 3) dynamic program analysis algorithms as security plugins to detect vulnerabilities. We have implemented a software prototype for WASMDYPA, and have conducted experiments to evaluate the effectiveness, usefulness, performance and overhead of our approach. Experimental results demonstrated that WASMDyPA can accurately detect vulnerabilities with a 88.24% precision and a 93.75% recall. Furthermore, WAS-MDyPA detected 56 bugs in real-world WebAssembly programs, including 2 integer overflows and 54 memory bugs.