Uso de Chamadas WASI para a Identificação de Ameaças em Aplicações WebAssembly
Abstract
WebAssembly (or Wasm) is a bytecode format that has gained fast adoption due to good performance, compact representation, and portability. It is mostly used as a compilation target for high-level programming languages such as C, C++, Go, and Rust, and may be executed within web browsers or native runtimes. Although security is one of the design goals for WebAssembly, there remain issues with malicious code, especially for web applications. In this paper, we introduce a method for performing anomaly-based detection of malicious Wasm binaries through dynamic analysis. We propose a classification of WASI calls – the Wasm counterpart of system calls – according to their risk and function and use it to categorize the calls issued by Wasm binaries, which allows us to detect malicious binaries using machine learning models. Our results show that this is a promising approach for identifying malicious WebAssembly code.
References
Aggarwal, A. and Jalote, P. (2006). Integrating static and dynamic analysis for detecting vulnerabilities. In 30th Annual International Computer Software and Applications Conference (COMPSAC’06), volume 1, pages 343–350. IEEE.
Battagline, R. (2021). The Art of WebAssembly: Build Secure, Portable, High-Performance Applications. No Starch Press, San Francisco, CA, USA.
Bernaschi, M., Gabrielli, E., and Mancini, L. V. (2002). REMUS: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1):36–61.
Beyer, C. (2023). Amalgamated WebAssembly System Interface test suite. [link].
Bian, W., Meng, W., and Zhang, M. (2020). MineThrottle: Defending against Wasm in-browser cryptojacking. In Proceedings of the 29th The Web Conference, pages 3112–3118, Taipei, Taiwan. ACM.
Brito, T., Lopes, P., Santos, N., and Santos, J. F. (2022). Wasmati: An efficient static vulnerability scanner for WebAssembly. Computers & Security, 118:102745.
BytecodeAlliance (2021). Wasmtime. [link].
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In 2021 IEEE Symposium on Computers and Communications (ISCC), pages 1–6. IEEE.
Ceschin, F., Gomes, H. M., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., and Grégio, A. (2020). Machine learning (in) security: A stream of problems. arXiv preprint arXiv:2010.16045.
Delendik, Y. (2020). Dwarf for WebAssembly. [link].
Denis, F. (2023). webassembly-benchmarks. [link].
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120–128. IEEE.
Fu, W., Lin, R., and Inge, D. (2018). TaintAssembly: Taint-based information flow control tracking for WebAssembly.
Helpa, C., Heinrich, T., Botacin, M., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Uma estratégia dinâmica para a detecção de anomalia em binários WebAssembly. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC.
Hilbig, A., Lehmann, D., and Pradel, M. (2021). An empirical study of real-world WebAssembly binaries: Security, languages, use cases. In Proceedings of the 30th The Web Conference, pages 2696–2708, Ljubljana, Slovenia. ACM.
Hoffman, K. (2019). Programming WebAssembly with Rust: unified development for web, mobile, and embedded applications. The Pragmatic Bookshelf.
Kim, M., Jang, H., and Shin, Y. (2022). Avengers, Assemble! survey of WebAssembly security solutions. In Proceedings of the 15th International Conference on Cloud Computing, pages 543–553, Barcelona, Spain. IEEE.
Lehmann, D. and Pradel, M. (2019). Wasabi: A framework for dynamically analyzing WebAssembly. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 1045–1058, Providence, RI, USA. ACM.
Lemos, R., Heinrich, T., Maziero, C. A., and Will, N. C. (2022). Is it safe? identifying malicious apps through the use of metadata and inter-process communication. In 2022 IEEE International Systems Conference (SysCon), pages 1–8. IEEE.
Lemos, R., Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Inspecting Binder transactions to detect anomalies in Android. In Proceedings of the 17th Annual IEEE International Systems Conference, Vancouver, BC, Canada. IEEE.
Mishra, P., Varadharajan, V., Tupakula, U., and Pilli, E. S. (2018). A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE communications surveys & tutorials, 21(1):686–728.
Powers, D. and Xie, Y. (2008). Statistical methods for categorical data analysis. Emerald Group Publishing.
Romano, A. and Wang, W. (2020). Wasim: Understanding WebAssembly applications through classification. In Proceedings of the 35th International Conference on Automated Software Engineering, pages 1321–1325, Melbourne, Australia. IEEE.
Rossberg, A. (2022). WebAssembly specification. [link].
Stiévenart, Q., De Roover, C., and Ghafari, M. (2021). The security risk of lacking compiler protection in WebAssembly. In Proceedings of the 21st International Conference on Software Quality, Reliability and Security, pages 132–139, Hainan, China. IEEE.
Stiévenart, Q., De Roover, C., and Ghafari, M. (2022). Security risks of porting C programs to WebAssembly. In Proceedings of the 37th Symposium on Applied Computing, pages 1713–1722, Virtual Event. ACM.
Stiévenart, Q. (2021). SAC 2022 dataset. figshare. [link].
WebAssembly (2023). WASI tests. [link].
Battagline, R. (2021). The Art of WebAssembly: Build Secure, Portable, High-Performance Applications. No Starch Press, San Francisco, CA, USA.
Bernaschi, M., Gabrielli, E., and Mancini, L. V. (2002). REMUS: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1):36–61.
Beyer, C. (2023). Amalgamated WebAssembly System Interface test suite. [link].
Bian, W., Meng, W., and Zhang, M. (2020). MineThrottle: Defending against Wasm in-browser cryptojacking. In Proceedings of the 29th The Web Conference, pages 3112–3118, Taipei, Taiwan. ACM.
Brito, T., Lopes, P., Santos, N., and Santos, J. F. (2022). Wasmati: An efficient static vulnerability scanner for WebAssembly. Computers & Security, 118:102745.
BytecodeAlliance (2021). Wasmtime. [link].
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In 2021 IEEE Symposium on Computers and Communications (ISCC), pages 1–6. IEEE.
Ceschin, F., Gomes, H. M., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., and Grégio, A. (2020). Machine learning (in) security: A stream of problems. arXiv preprint arXiv:2010.16045.
Delendik, Y. (2020). Dwarf for WebAssembly. [link].
Denis, F. (2023). webassembly-benchmarks. [link].
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120–128. IEEE.
Fu, W., Lin, R., and Inge, D. (2018). TaintAssembly: Taint-based information flow control tracking for WebAssembly.
Helpa, C., Heinrich, T., Botacin, M., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Uma estratégia dinâmica para a detecção de anomalia em binários WebAssembly. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC.
Hilbig, A., Lehmann, D., and Pradel, M. (2021). An empirical study of real-world WebAssembly binaries: Security, languages, use cases. In Proceedings of the 30th The Web Conference, pages 2696–2708, Ljubljana, Slovenia. ACM.
Hoffman, K. (2019). Programming WebAssembly with Rust: unified development for web, mobile, and embedded applications. The Pragmatic Bookshelf.
Kim, M., Jang, H., and Shin, Y. (2022). Avengers, Assemble! survey of WebAssembly security solutions. In Proceedings of the 15th International Conference on Cloud Computing, pages 543–553, Barcelona, Spain. IEEE.
Lehmann, D. and Pradel, M. (2019). Wasabi: A framework for dynamically analyzing WebAssembly. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 1045–1058, Providence, RI, USA. ACM.
Lemos, R., Heinrich, T., Maziero, C. A., and Will, N. C. (2022). Is it safe? identifying malicious apps through the use of metadata and inter-process communication. In 2022 IEEE International Systems Conference (SysCon), pages 1–8. IEEE.
Lemos, R., Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Inspecting Binder transactions to detect anomalies in Android. In Proceedings of the 17th Annual IEEE International Systems Conference, Vancouver, BC, Canada. IEEE.
Mishra, P., Varadharajan, V., Tupakula, U., and Pilli, E. S. (2018). A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE communications surveys & tutorials, 21(1):686–728.
Powers, D. and Xie, Y. (2008). Statistical methods for categorical data analysis. Emerald Group Publishing.
Romano, A. and Wang, W. (2020). Wasim: Understanding WebAssembly applications through classification. In Proceedings of the 35th International Conference on Automated Software Engineering, pages 1321–1325, Melbourne, Australia. IEEE.
Rossberg, A. (2022). WebAssembly specification. [link].
Stiévenart, Q., De Roover, C., and Ghafari, M. (2021). The security risk of lacking compiler protection in WebAssembly. In Proceedings of the 21st International Conference on Software Quality, Reliability and Security, pages 132–139, Hainan, China. IEEE.
Stiévenart, Q., De Roover, C., and Ghafari, M. (2022). Security risks of porting C programs to WebAssembly. In Proceedings of the 37th Symposium on Applied Computing, pages 1713–1722, Virtual Event. ACM.
Stiévenart, Q. (2021). SAC 2022 dataset. figshare. [link].
WebAssembly (2023). WASI tests. [link].
Published
2023-09-18
How to Cite
HEINRICH, Tiago; WILL, Newton C.; OBELHEIRO, Rafael R.; MAZIERO, Carlos A..
Uso de Chamadas WASI para a Identificação de Ameaças em Aplicações WebAssembly. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 237-250.
DOI: https://doi.org/10.5753/sbseg.2023.233111.
