By Christophe Alladoum
In March 2017, the World Wide Web Consortium released the stable specification for a new web format, called WebAssembly (or WASM), a new standard for executing code inside modern browsers, with performance close to that of native execution.
Today, this format is embedded in all major web browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari, on all platforms (PC/Mac, phones, tablets). And because of its architecture, WebAssembly can also be implemented outside of the browser.
SophosLabs decided to investigate this new format, with a focus on assessing the overall security of both the specification, and its implementation in web browsers.
I presented the research at the ShakaCon 2018 conference in Honolulu. The talk from ShakaCon was also uploaded to YouTube. You can also download the paper here.