Skip to content

This repo performs and experimental evaluation of the impact of wasm-mutate in cache timing side-channel attacks. We use the same POCs as Swivel

Notifications You must be signed in to change notification settings

ASSERT-KTH/tawasco

Repository files navigation

Build wasm-mutate runtime only Build tracer Build docker for experimenting Build stacking tool to stack wasm-mutate mutations Build wasmtime

This repo contains the tooling to evaluate wasm-mutate as a software diversification tool for WebAssembly.

Requirements

Repository structure (the most important things to look at)

  • host_based: Here we add our tooling
    • tracer: A wasmtime based host, with fixed memory allocation and trace filtering for IntelPIN. Here we implement a shared mem communication with IntelPIN to filter out those events that are not coming from Wasm compiled code.
      • pintool: our pintool implementation, it works only for linux
    • stacking: This is just a wrapper to create a population. Run ./stacking --help to see the options.
    • fuzz: Some fuzzing infrastructure to test the stacking tool. We plan to extend this to research on differential testing. For exmple, testing what happens with parsing a wat file with two different engines.
    • host: An attempt to create the timer directly in the wasmtime based host instead of adding it to the WASI-libc like Swivel does.
  • experiments: This folder contains our experiments, we use a K8s cluster to parallelize our experiments.

POCs

The idea is to have POC for attacks on Wasm execution scenarios. We add a diversification evaluation with wasm-mutate in the safeside as well.

Roadmap for Swivel ones

We fork the original swivel repo. The patch to test diversification can be found there.

Roadmap for whitebox crypto challenges

Questions:

  • Does it make sense as a use case to whitebox a Wasm ? Yes, distributing a signed .wasm

To reproduce this attacks and defenses. We propose to use a separated machine. For security and better measurements collection.

  • White box cryptography challenges
    • Compile C to Wasm
      • CHES2016
    • Perform attack
      • Host based with wasmtime
        • CHES2016
          • DCA. Running wasmtime precompiled wasm host_single/release/host_single wb_challenge.wasm
          • Daredevil is able to exfiltrate the full key in around 5000 traces.
          • Note: disable ASLR for better performance.
          • The attack works only with PIN. It was easier for plotting and filtrating non-Wasm traces.
      • Host based with wasmtime
  • Create automatic benchmark for measuring exfiltration accuracy
  • Apply wasm-mutate to victim. Measure the impact on the accuracy of the attack. Sadly :( wasm-mutate does not help in this case.
  • While we harden the attack, it is still possible :(

Roadmap browser

About

This repo performs and experimental evaluation of the impact of wasm-mutate in cache timing side-channel attacks. We use the same POCs as Swivel

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published