Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly
This addresses security risks for users of WebAssembly binaries, especially those compiled from C/C++, by providing a tool for vulnerability detection and hardening, though it is incremental as it builds on existing fuzzing techniques.
The paper tackles the problem of detecting memory vulnerabilities in WebAssembly binaries compiled from memory-unsafe languages by introducing Fuzzm, the first binary-only fuzzer for WebAssembly, which found dozens of crashes in real-world binaries and prevented exploits with low runtime overhead.
WebAssembly binaries are often compiled from memory-unsafe languages, such as C and C++. Because of WebAssembly's linear memory and missing protection features, e.g., stack canaries, source-level memory vulnerabilities are exploitable in compiled WebAssembly binaries, sometimes even more easily than in native code. This paper addresses the problem of detecting such vulnerabilities through the first binary-only fuzzer for WebAssembly. Our approach, called Fuzzm, combines canary instrumentation to detect overflows and underflows on the stack and the heap, an efficient coverage instrumentation, a WebAssembly VM, and the input generation algorithm of the popular AFL fuzzer. Besides as an oracle for fuzzing, our canaries also serve as a stand-alone binary hardening technique to prevent the exploitation of vulnerable binaries in production. We evaluate Fuzzm with 28 real-world WebAssembly binaries, some compiled from source and some found in the wild without source code. The fuzzer explores thousands of execution paths, triggers dozens of crashes, and performs hundreds of program executions per second. When used for binary hardening, the approach prevents previously published exploits against vulnerable WebAssembly binaries while imposing low runtime overhead.