Security Papers in WebAssembly

This repository contains a curated collection of research papers on security topics related to WebAssembly, sourced from top-tier Software Engineering and Security conferences. The aim is to ensure comprehensive coverage of significant publications in the field.

Organizing a literature review for my thesis has been challenging. To streamline the process, I've created this repository to categorize relevant papers. Special thanks to Jianing for providing the initial list of papers.

Table of contents

• Security-Papers-in-WebAssembly
  • Table of contents
  • SoK, Empirical Study, and Survey
  • WASM Binary
    • Protection and Hardening
    • Fuzzing (WASM Binary)
    • Dynamic Analysis (Other than fuzzing)
    • SAST (WASM Binary)
    • Obfuscation and Detection Evasion
    • Reverse Engineering
    • Rewriting
    • Porting Issues
  • WASM Runtime and Compiler
    • SFI
    • Fuzzing and Differential Testing (WASM Runtime)
    • SAST (WASM Runtime)
    • Efficiency
  • Applications in Security

SoK, Empirical Study, and Survey

• Harnes, Håkon, and Donn Morrison. "SoK: Analysis Techniques for WebAssembly.", Future Internet, 2024.
• Runtime Wang, Yue, et al. "A Comprehensive Study of WebAssembly Runtime Bugs.", SANER, 2023.
• Hilbig, Aaron, Daniel Lehmann, and Michael Pradel. "An empirical study of real-world webassembly binaries: Security, languages, use cases.", WWW, 2021.
• Compiler Romano, Alan, et al. "An empirical study of bugs in webassembly compilers.", ASE, 2021.
• Lehmann, Daniel, Johannes Kinder, and Michael Pradel. "Everything old is new again: Binary security of WebAssembly.", USENIX Security, 2020.
• Musch, Marius, et al. "New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild.", DIMVA, 2019.

WASM Binary

Protection and Hardening

• Cabrera-Arteaga, Javier, et al. "Wasm-Mutate: Fast and effective binary diversification for WebAssembly.", Computers & Security, 2024.
• Rao, Xiaojia, et al. "Iris-wasm: Robust and modular verification of webassembly programs.", PLDI, 2023.
• Stiévenart, Quentin, Coen De Roover, and Mohammad Ghafari. "The security risk of lacking compiler protection in WebAssembly.", QRS, 2021.
• Narayan, Shravan, et al. "Swivel: Hardening WebAssembly against spectre.", USENIX Security, 2021.
• Watt, Conrad, et al. "Ct-wasm: type-driven secure cryptography for the web ecosystem.", POPL, 2019.
• Watt, Conrad, Andreas Rossberg, and Jean Pichon-Pharabod. "Weakening webassembly.", OOPSLA, 2019.
• Sun, Jian, et al. "SELWasm: A Code Protection Mechanism for WebAssembly.", ISPA, 2019.

Fuzzing

• Lehmann, Daniel, Martin Toldam Torp, and Michael Pradel. "Fuzzm: Finding memory bugs through binary-only instrumentation and fuzzing of webassembly.", arXiv preprint, 2021.

Dynamic Analysis

• Lehmann, Daniel, and Michael Pradel. "Wasabi: A framework for dynamically analyzing webassembly.", ASPLOS, 2019.
• Fu, William, Raymond Lin, and Daniel Inge. "Taintassembly: Taint-based information flow control tracking for webassembly.", arXiv preprint, 2018.

SAST

• Chen, Weimin, et al. "Wasai: uncovering vulnerabilities in wasm smart contracts.", ISSTA, 2022.
• Brito, Tiago, et al. "Wasmati: An efficient static vulnerability scanner for WebAssembly." Computers & Security, 2022.
• He, Ningyu, et al. "EOSAFE: Security analysis of EOSIO smart contracts.", USENIX Security, 2021.
• Lopes, Pedro Daniel Rogeiro. "Discovering vulnerabilities in webassembly with code property graphs.", Técnico Lisboa, 2021.
• Stiévenart, Quentin, and Coen De Roover. "Compositional information flow analysis for WebAssembly programs.", SCAM, 2020.

Obfuscation and Detection Evasion

• Harnes H, Morrison D. "Cryptic Bytes: WebAssembly Obfuscation for Evading Cryptojacking Detection", arXiv preprint, 2024.
• Cao, Shangtong, et al. "WASMixer: Binary Obfuscation for WebAssembly", ESORICS, 2024
• Cabrera-Arteaga, Javier, et al. "WebAssembly diversification for malware evasion.", Computers & Security, 2023.
• Loose, Nils, et al. "Madvex: Instrumentation-Based Adversarial Attacks on Machine Learning Malware Detection.", DIMVA, 2023.
• Bhansali, Shrenik, et al. "A first look at code obfuscation for webassembly.", WiSec, 2022.

Malware Detection

• Xia, Yifan, et al. "Static Semantics Reconstruction for Enhancing JavaScript-WebAssembly Multilingual Malware Detection.", ESORICS, 2023.
• Naseem, Faraz Naseem, et al. "MINOS: A Lightweight Real-Time Cryptojacking Detection System.", NDSS, 2021.

Reverse Engineering

• WasmRev Huang H, Zhao J. "Multi-modal Learning for WebAssembly Reverse Engineering", ISSTA, 2024.
• Lehmann, Daniel, and Michael Pradel. "Finding the dwarf: recovering precise types from WebAssembly binaries.", PLDI, 2022.
• Lehmann, Daniel, et al. "That’s a Tough Call: Studying the Challenges of Call Graph Construction for WebAssembly.", ISSTA, 2023.
• Romano, Alan, and Weihang Wang. "Automated WebAssembly Function Purpose Identification With Semantics-Aware Analysis.", WWW, 2023.

Slicing

• Stiévenart, Quentin, David W. Binkley, and Coen De Roover. "Static stack-preserving intra-procedural slicing of webassembly binaries.", ICSE, 2022.

Rewriting

• Cao, Shangtong, et al. "A General Static Binary Rewriting Framework for WebAssembly.", SAS, 2023.

Porting Issues

• Stiévenart, Quentin, Coen De Roover, and Mohammad Ghafari. "Security risks of porting c programs to WebAssembly.", SAC. 2022.

WASM Runtime and Compiler

SFI

• Crocus VanHattum, Alexa, et al. "Lightweight, Modular Verification for WebAssembly-to-Native Instruction Selection.", ASPLOS, 2024.
• PKUWA MPK Runtime Lei, Hanwen, et al. "Put Your Memory in Order: Efficient Domain-based Memory Isolation for WASM Applications.", CCS, 2023.
• Runtime Johnson, Evan, et al. "WaVe: a verifiably secure WebAssembly sandboxing runtime.", S&P, 2023.
• Kolosick, Matthew, et al. "Isolation without taxation: near-zero-cost transitions for webassembly and sfi.", POPL, 2022.
• Bosamiya, Jay, Wen Shih Lim, and Bryan Parno. "Provably-Safe Multilingual Software Sandboxing using WebAssembly.", USENIX Security, 2022.
• Johnson, Evan, et al. "Доверяй, но проверяй: SFI safety for native-compiled Wasm.", NDSS, 2021.
• Narayan, Shravan, et al. "Retrofitting fine grain isolation in the Firefox renderer.", USENIX Security, 2020.

Fuzzing and Differential Testing

• Han, Jideng, et al. "ESFuzzer: An Efficient Way to Fuzz WebAssembly Interpreter.", Electronics, 2024
• Efficiency WarpDif Jiang, Shuyao, et al. "Revealing Performance Issues in Server-side WebAssembly Runtimes via Differential Testing.", ASE, 2023.
• Zhou, Shiyao, et al. "WADIFF: A Differential Testing Framework for WebAssembly Runtimes.", ASE, 2023.
• Cao, Shangtong, et al. "WRTester: Differential Testing of WebAssembly Runtimes via Semantic-aware Binary Generation.", arXiv preprint, 2023.
• Jiang, Bo, et al. "Wasmfuzzer: A fuzzer for webassembly virtual machines.", SEKE, 2022.

SAST for Runtimes

• Zhang, Yixuan, et al. "Characterizing and detecting webassembly runtime bugs.", TSEM, 2023.

Efficiency

• WasmFX Phipps-Costin, Luna, et al. "Continuing WebAssembly with Effect Handlers.", OOPSLA, 2023.
• Watt, Conrad, et al. "WasmRef-Isabelle: A Verified Monadic Interpreter and Industrial Fuzzing Oracle for WebAssembly.", PLDI, 2023.
• Romano, Alan, and Weihang Wang. "When Function Inlining Meets WebAssembly: Counterintuitive Impacts on Runtime Performance.", FSE, 2023.
• Liu, Zhibo, et al. "Exploring missed optimizations in webassembly optimizers.", ISSTA, 2023.
• Titzer, Ben L. "A fast in-place interpreter for WebAssembly.", OOPSLA, 2022.
• Jangda, Abhinav, et al. "Not so fast: Analyzing the performance of WebAssembly vs. native code.", USENIX ATC, 2019.

Applications in Security

*There are a lot of papers in this direction that are not listed in this repo.

• Wang, Yuanpeng, et al. "Symgx: Detecting cross-boundary pointer vulnerabilities of sgx applications via static symbolic execution.", CCS, 2023
• He, Ningyu, et al. "Eunomia: enabling user-specified fine-grained search in symbolically executing WebAssembly binaries.", ISSTA, 2023.
• Romano, Alan, et al. "Wobfuscator: Obfuscating javascript malware via opportunistic translation to webassembly.", S&P, 2022.