This repo contains the tooling to evaluate wasm-mutate as a software diversification tool for WebAssembly.
- Rust nightly. Install it with
rustup install nightly
. We need nightly beacuase we use someasm!
experimental features to directly write Wasm code from Rust (see How to deploy hand made Wasm code in Fastly Compute@Edge.)
host_based
: Here we add our toolingtracer
: A wasmtime based host, with fixed memory allocation and trace filtering for IntelPIN. Here we implement a shared mem communication with IntelPIN to filter out those events that are not coming from Wasm compiled code.pintool
: our pintool implementation, it works only for linux
stacking
: This is just a wrapper to create a population. Run./stacking --help
to see the options.fuzz
: Some fuzzing infrastructure to test thestacking
tool. We plan to extend this to research on differential testing. For exmple, testing what happens with parsing awat
file with two different engines.host
: An attempt to create the timer directly in the wasmtime based host instead of adding it to the WASI-libc like Swivel does.
experiments
: This folder contains our experiments, we use a K8s cluster to parallelize our experiments.
The idea is to have POC for attacks on Wasm execution scenarios. We add a diversification evaluation with wasm-mutate in the safeside as well.
We fork the original swivel repo. The patch to test diversification can be found there.
swivel-btb-exploit
: https://github.com/Jacarte/swivel-btb-exploit, important things to look at there:generate_variants.sh
,get_random_wasm.sh
,get_bandwidth.sh
.safeside
: https://github.com/Jacarte/safeside, important things to look at there:build-lucet/generate_variants.sh
,get_random_wasm.sh
,get_bandwidth.sh
Questions:
- Does it make sense as a use case to whitebox a Wasm ? Yes, distributing a signed .wasm
To reproduce this attacks and defenses. We propose to use a separated machine. For security and better measurements collection.
- White box cryptography challenges
- Compile C to Wasm
- CHES2016
- Perform attack
- Host based with wasmtime
- CHES2016
- DCA. Running wasmtime precompiled wasm
host_single/release/host_single wb_challenge.wasm
- Daredevil is able to exfiltrate the full key in around 5000 traces.
- Note: disable ASLR for better performance.
- The attack works only with PIN. It was easier for plotting and filtrating non-Wasm traces.
- DCA. Running wasmtime precompiled wasm
- CHES2016
- Host based with wasmtime
- Host based with wasmtime
- Compile C to Wasm
- Create automatic benchmark for measuring exfiltration accuracy
-
Apply wasm-mutate to victim. Measure the impact on the accuracy of the attack. Sadly :( wasm-mutate does not help in this case. - While we harden the attack, it is still possible :(
- Port contention side channel,
- Web port contention repo here, https://github.com/MIAOUS-group/web-port-contention, Can wasm-mutate protect against port-contention covert side-channels?
- CPU Port Contention Without SMT: Sources https://github.com/MIAOUS-group/port-contention-without-smt, Can wasm-mutate protect against privacy leaks?
- Create automatic benchmark for measuring exfiltration accuracy
- Apply wasm-mutate and measure accuracy