Skip to content

WASM-Papers/wasm-papers.github.io

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
index.html
index.html
 
 

Repository files navigation

WasmSec — WebAssembly Security Papers

A curated collection of academic papers covering the intersection of WebAssembly and security from memory safety and sandboxing to malware detection, formal verification, program analysis, dataset generation and side-channel attacks.

Live site: wasm-papers.github.io

About

WebAssembly (Wasm) is a production runtime powering some of the world's most critical applications - Photoshop, Figma, AutoCAD, Google Earth, Cloudflare Workers, Zoom, and many more. Its promise of near-native performance in a portable, sandboxed format has driven rapid adoption across browsers, edge computing, IoT, and serverless platforms.

Despite its sandboxing design, WebAssembly introduces a range of security concerns like memory corruption from C/C++ source, cryptojacking, malware obfuscation, Spectre-style side channels, runtime bugs, and the absence of default mitigations like stack canaries or ASLR.

This repository tracks academic research addressing these challenges. All papers have been manually reviewed and selected based on direct relevance to WebAssembly security.

Papers

Surveys & Empirical Studies

Title Authors Venue Year Paper Code
SoK: Analysis Techniques for WebAssembly Harnes, Morrison arXiv 2024 PDF
WebAssembly and Security: a review Perrone, Romano arXiv 2024 PDF
Avengers, Assemble! Survey of WebAssembly Security Solutions Kim, Jang, Shin IEEE CLOUD 2022 2022 PDF
New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Musch, Wressnegger, Johns, Rieck DIMVA 2019 2019 PDF
An Empirical Study of Real-World WebAssembly Binaries Hilbig, Lehmann WWW 2021 2021 PDF
Characterizing and Detecting WebAssembly Runtime Bugs Zhang et al. ACM TOSEM 2023 PDF
A Comprehensive Study of WebAssembly Runtime Bugs Wang et al. IEEE SANER 2023 2023 PDF
An Empirical Study of Bugs in WebAssembly Compilers Romano, Liu, Kwon, Wang IEEE ASE 2021 2021 PDF Code
Intel Software Guard Extensions Applications: A Survey Will, Maziero ACM Computing Surveys 2023
WebAssembly across Platforms: Running Native Apps in the Browser, Cloud, and Edge Rusum IJETCSIT 2022
Wasmizer: Curating WebAssembly-driven Projects on GitHub Nicholson et al. arXiv 2023 PDF Code

Memory Safety & Binary Security

Title Authors Venue Year Paper Code
Everything Old is New Again: Binary Security of WebAssembly Lehmann, Kinder, Pradel USENIX Security 2020 2020 PDF Code
MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code Michael et al. arXiv 2026 PDF
Iris-MSWasm: Elucidating and Mechanising the Security Invariants of Memory-Safe WebAssembly Legoupil et al. OOPSLA 2024 2024 PDF Code
Position Paper: Progressive Memory Safety for WebAssembly Disselkoen, Renner, Garfinkel, Levy HASP 2019 2019 PDF
Memory Safety Preservation for WebAssembly Vassena arXiv 2019 PDF
Security Risks of Porting C Programs to WebAssembly Stiévenart, De Roover, Ghafari arXiv 2021 PDF
The Security Risk of Lacking Compiler Protection in WebAssembly Stiévenart, Ghafari, De Roover arXiv 2021 PDF
Bringing Binary Exploitation at Port 80: Understanding C Vulnerabilities in WebAssembly Massidda et al. SECRYPT 2024 2024 PDF
An Analysis of Modern Web Security Vulnerabilities Inside WebAssembly Applications Corrias et al. arXiv 2026 PDF Code
WASP: Stack protection for WebAssembly Massey, Olivier Journal of Systems Architecture 2026 PDF Code
Defending Buffer Overflows in WebAssembly: A Transpiler Approach Feng arXiv 2026 PDF
RichWasm: Safe, Fine-Grained, Shared-Memory Interoperability in WebAssembly Paraskevopoulou et al. arXiv 2024 PDF Code
Indexed Types for a Statically Safe WebAssembly Geller, Frank, Bowman POPL 2024 2024 PDF
WALMA: Learning to See Memory Corruption in WebAssembly Draissi, Sadeghi arXiv 2026 PDF
Wemby's Web: Hunting for Memory Corruption in WebAssembly Draissi et al. ISSTA 2025 2025 PDF Code

Sandboxing & Isolation

Title Authors Venue Year Paper Code
Provably-Safe Multilingual Software Sandboxing using WebAssembly Bosamiya, Lim, Parno USENIX Security 2022 2022 PDF Code
WaVe: a verifiably secure WebAssembly sandboxing runtime Johnson et al. IEEE S&P 2023 2023 PDF Code
SFI safety for native-compiled Wasm (VeriWasm) Johnson et al. NDSS 2021 2021 PDF Code
Gobi: WebAssembly as a Practical Path to Library Sandboxing Narayan et al. arXiv 2019 PDF
Put Your Memory in Order: Efficient Domain-based Memory Isolation for WASM Lei et al. ACM CCS 2023 2023 PDF Code
Going beyond the Limits of SFI: Hardware-Assisted In-Process Isolation with HFI Narayan et al. ASPLOS 2023 2023 PDF Code
Donky: Domain Keys — Efficient In-Process Isolation for RISC-V and x86 Schrammel et al. USENIX Security 2020 2020 PDF Code
WASHADOW: Protecting WebAssembly Memory Through VM-Aware Shadow Memory Jiang, Hua IEEE TrustCom 2024 2024 PDF
WASMSEPA: Effectively Protecting WebAssembly Through Privilege Separation Jiang, Hua IEEE QRS 2025 2025 PDF
VMCANARY: Effective Memory Protection for WebAssembly via VM-assisted Approach Zhang et al. IEEE QRS 2023 2023 PDF
metaSafer: A Technique to Detect Heap Metadata Corruption in WebAssembly Song, Park, Kwon IEEE Access 2023 PDF
CAGE: Hardware-Accelerated Safe WebAssembly Fink et al. arXiv 2024 PDF Code
POSTER: Leveraging eBPF to enhance sandboxing of WebAssembly runtimes Abbadini et al. EuroSys 2023 2023 PDF
WARD: Efficient Memory Protection for WebAssembly on Tiny Embedded Systems Shin et al. IEEE Access 2026
eWASM: Practical Software Fault Isolation for Reliable Embedded Devices Peach et al. IEEE TCAD 2020 PDF Code

Formal Verification & Type Systems

Title Authors Venue Year Paper Code
Mechanising and Verifying the WebAssembly Specification Watt CPP 2018 2018 PDF Code
CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem Watt et al. PACMPL 2019 PDF
A Self-certifying Compilation Framework for WebAssembly Namjoshi, Xue VMCAI 2021 2021 PDF Code
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade Vassena et al. POPL 2021 2021 PDF Code
Indexed Types for a Statically Safe WebAssembly Geller, Frank, Bowman POPL 2024 2024 PDF
SecWasm: Information Flow Control for WebAssembly Bastys et al. ESORICS 2022 2022 PDF Code
Automated Verification for Secure Messaging Protocols and Their Implementations Kobeissi, Bhargavan, Blanchet IEEE EuroS&P 2017 2017 PDF

Static Analysis & Program Analysis

Title Authors Venue Year Paper Code
Wasmati: An Efficient Static Vulnerability Scanner for WebAssembly Brito, Santos arXiv 2022 PDF
WasmA: A Static WebAssembly Analysis Framework for Everyone Breitfelder et al. IEEE SANER 2023 2023 PDF
WASSAIL: a WebAssembly Static Analysis Library Stiévenart ProWeb 2021 2021 Code
Compositional Information Flow Analysis for WebAssembly Programs Stiévenart, De Roover SCAM 2020 2020 PDF Code
Static Stack-Preserving Intra-Procedural Slicing of WebAssembly Stiévenart, Binkley ICSE 2022 2022 PDF
That's a Tough Call: Challenges of Call Graph Construction for WebAssembly Lehmann, Tip ISSTA 2023 2023 PDF
BREWASM: A General Static Binary Rewriting Framework for WebAssembly Cao et al. arXiv 2023 PDF Code
Discovering Vulnerabilities in WebAssembly with Code Property Graphs Lopes IST Master's Thesis 2020 PDF

Fuzzing & Dynamic Analysis

Title Authors Venue Year Paper Code
WAFL: Binary-Only WebAssembly Fuzzing with Fast Snapshots Haßler, Maier ROOTS 2021 2021 PDF Code
Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly Lehmann, Torp arXiv 2021 PDF
WBSan: WebAssembly Bug Detection for Sanitization and Binary-Only Fuzzing Wu et al. WWW 2025 2025 PDF
WRTESTER: Differential Testing of WebAssembly Runtimes via Semantic-aware Binary Generation Cao et al. arXiv 2023 PDF
WASMaker: Differential Testing of WebAssembly Runtimes via Semantic-Aware Binary Generation Cao et al. ISSTA 2024 2024 PDF Code
WADIFF: A Differential Testing Framework for WebAssembly Runtimes Zhou et al. IEEE ASE 2023 2023 PDF
Wapplique: Testing WebAssembly Runtime via Execution Context-Aware Bytecode Mutation Zhao, Zeng ISSTA 2024 2024 PDF
DRWASI: LLM-assisted Differential Testing for WebAssembly System Interface Implementations Zhang et al. ACM TOSEM 2026 PDF
ESFuzzer: An Efficient Way to Fuzz WebAssembly Interpreter Han et al. Electronics 2024 PDF
FreeWavm: Enhanced WebAssembly Runtime Fuzzing via Parse Tree Mutation and Snapshot Qian et al. ISSTA 2025 2025 PDF Code
WAGEN: Detecting WebAssembly Runtime Bugs With Grammar-Guided Program Mutation Lu et al. IEEE Trans. Reliability 2025 PDF
WASMDYPA: Effectively Detecting WebAssembly Bugs via Dynamic Program Analysis Zheng, Hua IEEE SANER 2024 2024 PDF
Wasabi: A Framework for Dynamically Analyzing WebAssembly Lehmann, Pradel ASPLOS 2019 2019 PDF Code
Wasm-R3: Record-Reduce-Replay for Realistic and Standalone WebAssembly Benchmarks Baek et al. arXiv 2024 PDF Code
WEST: Specification-Based Test Generation for WebAssembly Youn, Shin, Ryu ASE 2025 2025 PDF

Cryptojacking Detection & Defense

Title Authors Venue Year Paper Code
MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense Konoth et al. ACM CCS 2018 2018 PDF Code
MinerRay: Semantics-Aware Analysis for Ever-Evolving Cryptojacking Detection Romano, Zheng, Wang ASE 2020 2020 PDF Code
MINOS: A Lightweight Real-Time Cryptojacking Detection System Naseem et al. NDSS 2021 2021 PDF
POSTER: Detecting WebAssembly-based Cryptocurrency Mining Bian, Meng, Wang ACM CCS 2019 2019 PDF
MineThrottle: Defending against Wasm In-Browser Cryptojacking Bian, Meng, Zhang WWW 2020 2020 PDF Code
Outguard: Detecting In-Browser Covert Cryptocurrency Mining in the Wild Kharraz et al. WWW 2019 2019 PDF Code
JABBERWOCK: A Tool for WebAssembly Dataset Generation and Malicious Website Detection Komiya et al. IPSJ JIP 2024 PDF Code
WASim: Understanding WebAssembly Applications through Classification Romano, Wang ASE 2020 2020 PDF Code

Obfuscation & Malware Evasion

Title Authors Venue Year Paper Code
Wobfuscator: Obfuscating JavaScript Malware via Opportunistic Translation to WebAssembly Romano et al. IEEE S&P 2022 2022 PDF Code
WASMixer: Binary Obfuscation for WebAssembly Cao et al. arXiv 2023 PDF Code
A First Look at Code Obfuscation for WebAssembly Bhansali et al. WiSec 2022 2022 PDF
Madvex: Instrumentation-based Adversarial Attacks on ML Malware Detection Loose et al. DIMVA 2023 2023 PDF
WebAssembly Diversification for Malware Evasion Cabrera-Arteaga et al. arXiv 2022 PDF Code
CROW: Code Diversification for WebAssembly Cabrera Arteaga et al. arXiv 2021 PDF
WASM-MUTATE: Fast and Effective Binary Diversification for WebAssembly Cabrera-Arteaga et al. arXiv 2023 PDF
Deceptive bytes: In-depth Evaluation of WebAssembly Obfuscation for Evading Crypto Mining Detection Harnes NTNU Master's Thesis 2023 Code
CRYPTIC BYTES: WebAssembly Obfuscation for Evading Cryptojacking Detection Harnes, Morrison arXiv 2024 PDF
SELWasm: A Code Protection Mechanism for WebAssembly Sun et al. IEEE ISPA 2019 2019 PDF
AndroWasm: Empirical Study on Android Malware Obfuscation through WebAssembly Soi et al. arXiv 2026 PDF
The WASM Cloak: Evaluating Browser Fingerprinting Defenses Under WebAssembly Obfuscation Sakib et al. arXiv 2025 PDF

Side-Channel & Spectre Attacks

Title Authors Venue Year Paper Code
Swivel: Hardening WebAssembly against Spectre Narayan et al. USENIX Security 2021 2021 PDF Code
Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly Tsoupidi, Balliu, Baudry arXiv 2021 PDF Code
Lurking Eyes: Detecting Side-Channel Attacks on JavaScript and WebAssembly Mazaheri et al. ISCISC 2020 2020 PDF
Rapid Prototyping for Microarchitectural Attacks Easdon et al. USENIX Security 2022 2022 PDF Code

Trusted Execution Environments (TEE / SGX)

Title Authors Venue Year Paper Code
EDGEDANCER: Secure Mobile WebAssembly Services on the Edge Nieke, Almstedt, Kapitza EdgeSys 2021 2021 PDF
WATZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for TrustZone Ménétrey et al. ICDCS 2022 2022 PDF Code
A Comprehensive Trusted Runtime for WebAssembly with Intel SGX (TWINE) Ménétrey et al. IEEE TDSC 2023 PDF
TWINE: An Embedded Trusted Runtime for WebAssembly Ménétrey et al. IEEE ICDE 2021 2021 PDF Code
AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting Goltzsche et al. Middleware 2019 2019 PDF
SYMGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications Wang et al. ACM CCS 2023 2023 PDF Code
Fuzzing SGX Enclaves via Host Program Mutations Khan et al. IEEE EuroS&P 2023 2023 PDF Code

Smart Contracts & Blockchain

Title Authors Venue Year Paper Code
WASAI: Uncovering Vulnerabilities in Wasm Smart Contracts Chen et al. ISSTA 2022 2022 PDF
WANA: Symbolic Execution of Wasm Bytecode for Cross-Platform Smart Contract Vulnerability Detection Wang, Jiang, Chan arXiv 2020 PDF Code
EVulHunter: Detecting Fake Transfer Vulnerabilities for EOSIO's Smart Contracts at Webassembly-level Quan, Wu, Wang arXiv 2019 PDF Code

Browser Security & Web Attacks

Title Authors Venue Year Paper Code
RØB: Ransomware over Modern Web Browsers Oz et al. USENIX Security 2023 2023 PDF Code
FP-tracer: Fine-grained Browser Fingerprinting Detection via Taint-tracking Boussaha et al. PoPETs 2024 2024 PDF Code
WasmView: Visual Testing for WebAssembly Applications Romano, Wang ICSE-Companion 2020 2020 PDF Code
WASMEYE: Language- and Platform-Independent Anomaly Detection for WebAssembly Vogel et al. Middleware 2025 2025 PDF

Taint Tracking & Information Flow

Title Authors Venue Year Paper Code
TaintAssembly: Taint-Based Information Flow Control Tracking for WebAssembly Fu, Lin, Inge arXiv 2018 Code
Taint Tracking for WebAssembly Szanto, Tamm, Pagnoni arXiv 2018
SecWasm: Information Flow Control for WebAssembly Bastys et al. ESORICS 2022 2022 PDF Code

Reverse Engineering & Program Understanding

Title Authors Venue Year Paper Code
Finding the Dwarf: Recovering Precise Types from WebAssembly Binaries Lehmann, Pradel PLDI 2022 2022 PDF
Multi-modal Learning for WebAssembly Reverse Engineering Huang, Zhao ISSTA 2024 2024 PDF
WADEC: Decompiling WebAssembly Using Large Language Model She, Zhao arXiv 2024 PDF Code
Automated WebAssembly Function Purpose Identification With Semantics-Aware Analysis Romano, Wang WWW 2023 2023 PDF
WasmWalker: Path-based Code Representations for Improved WebAssembly Program Analysis Robati Shirzad, Lam arXiv 2024 PDF

IoT & Embedded Systems

Title Authors Venue Year Paper Code
WARDuino: A Dynamic WebAssembly Virtual Machine for Programming Microcontrollers Gurdeep Singh, Scholliers MPLR 2019 2019 PDF
Aerogel: Lightweight Access Control for WebAssembly-Based Bare-Metal IoT Devices Liu, Garcia, Srivastava IEEE/ACM SEC 2021 2021 PDF
WARD: Efficient Memory Protection for WebAssembly on Tiny Embedded Systems Shin et al. IEEE Access 2026
eWASM: Practical Software Fault Isolation for Reliable Embedded Devices Peach et al. IEEE TCAD 2020 PDF Code
Exploring and Exploiting the Resource Isolation Attack Surface of WebAssembly Containers Yu et al. USENIX Security 2025 2025 PDF Code
Towards Least-Privilege WebAssembly Applications Blaak, Van Cutsem Programming 2026 2026 PDF

Contributing

Found a paper missing? Spotted an error?

Submit via our Google Form

Disclaimer

All paper entries were imported manually. I apologize if any paper has been misrepresented. Please raise an issue or use the form above to report mistakes.

Maintained by

@dhruthan

About

WebAssembly Security papers collection

wasm-papers.github.io

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages