By Christophe Alladoum
In March 2017, the World Wide Web Consortium released the stable specification for a new web format, called WebAssembly (or WASM), a new standard for executing code inside modern browsers, with performance close to that of native execution.
To achieve such high performance, the coder compiles her program from a high-level language (like C or Rust) into WASM bytecode. While parsing the bytecode, web browsers compile the WASM bytecode into code that’s native to the platform in which the browser runs, which is far closer to pure native execution in performance than something like JavaScript could produce.
Today, this format is embedded in all major web browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari, on all platforms (PC/Mac, phones, tablets). And because of its architecture, WebAssembly can also be implemented outside of the browser.
SophosLabs decided to investigate this new format, with a focus on assessing the overall security of both the specification, and its implementation in web browsers.
I presented the research at the ShakaCon 2018 conference in Honolulu. The talk from ShakaCon was also uploaded to YouTube. You can also download the paper here.