WebAssembly is the newest language for the web, aiming to enable high-performance
applications and provide languages such as C/C++ a compilation target so that they can be run
on the web. WebAssembly defines a portable binary instruction set, as well as a corresponding
textual assembly format. However, WebAssembly's syntax is difficult to interpret for human
readers because of the stack machine-based implementation. As a result, distributed third-party
WebAssembly modules need to be implicitly trusted by developers, as verifying the
functionality requires significant effort.
In this talk, I will describe my work toward building analysis tools for developers to understand
WebAssembly programs. The first section of the talk will focus on identifying the limitations of
current analysis tools: I will introduce a code obfuscation technique for obfuscating JavaScript
malware by translating parts of the computation into WebAssembly. By pinpointing the
limitations of current malware detectors, my work motivates future efforts on detecting multi-
language malware on the web that uses WebAssembly. The second section of the talk will focus
on a set of abstraction rules for WebAssembly instructions, which can be used to lift
WebAssembly to a high-level representation that abstracts the underlying semantics of the
code. We have applied the abstraction rules in detecting WebAssembly-based cryptomining
malware. Our detection relies on program semantics unique to cryptomining, which is resilient
to variants.
WebAssembly is the newest language for the web, aiming to enable high-performance
applications and provide languages such as C/C++ a compilation target so that they can be run
on the web. WebAssembly defines a portable binary instruction set, as well as a corresponding
textual assembly format. However, WebAssembly's syntax is difficult to interpret for human
readers because of the stack machine-based implementation. As a result, distributed third-party
WebAssembly modules need to be implicitly trusted by developers, as verifying the
functionality requires significant effort.
In this talk, I will describe my work toward building analysis tools for developers to understand
WebAssembly programs. The first section of the talk will focus on identifying the limitations of
current analysis tools: I will introduce a code obfuscation technique for obfuscating JavaScript
malware by translating parts of the computation into WebAssembly. By pinpointing the
limitations of current malware detectors, my work motivates future efforts on detecting multi-
language malware on the web that uses WebAssembly. The second section of the talk will focus
on a set of abstraction rules for WebAssembly instructions, which can be used to lift
WebAssembly to a high-level representation that abstracts the underlying semantics of the
code. We have applied the abstraction rules in detecting WebAssembly-based cryptomining
malware. Our detection relies on program semantics unique to cryptomining, which is resilient
to variants.