PACSEC 2020 DOJO
Web Assembly Security
Instructor: Patrick Ventuzelo
November 10-13 (8am-12:30pm PST)
Patrick Ventuzelo
Patrick Ventuzelo is a French Independent Security Researcher specialized in fuzzing, vulnerability research, reverse engineering and program analysis on WebAssembly, Rust and Golang targets.
Patrick is the author of Octopus, an open-source security analysis tool for WebAssembly and Blockchain smart contracts bytecode. He also develop WARF, an open-source fuzzing project to find bugs inside WebAssembly VMs/runtimes/parsers using multiple fuzzing techniques.
Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.
Patrick is a regular speaker and trainer at various security conferences around the globe, including RingZer0, REcon Montreal/Brussels, ToorCon, hack.lu, NorthSec, SSTIC, FIRST, Microsoft DCC, BlackAlps, etc.
Course Schedule
November 10-13, 8am - 12:30 PST
Course Abstract
WebAssembly (WASM) is a new binary format currently developed and supported by all major web-browsers including Firefox, Chrome, Webkit/Safari and Microsoft Edge. This format has been designed to be "Efficient and fast", "Debuggable" and "Safe" and is often called the game changer for the web.
WebAssembly is beginning to be used everywhere and for everything
Web-browsers (Desktop & Mobile)
Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers)
Video games (Unity, UE4)
Blockchain platforms (EOS, Ethereum, Dfinity)
Cryptojacking (Coinhive, Cryptoloot)
Linux Kernel (Cervus, Nebulet)
... and more
This course will give you all the prerequisites to understand what is a WebAssembly module and its associated runtime virtual machine. At the end of four intensive days, you will be able to statically and dynamically reverse a WebAssembly module, analyze its behavior, create specific detection rules and search for vulnerabilities. You will discover which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will search for vulnerabilities inside WebAssembly VMs (web browsers, standalone VM) using mutation and generation based fuzzing techniques. Students shall be presented with lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.
Course Pre-requisites
Basic knowledge of reverse engineering concepts.
Familiarity with scripting (Python, Bash).
Familiarity with C/C++ or Rust programming.
Course Learning Objectives
Learn what is WebAssembly and whatβs inside a WebAssembly module.
Discover the architecture of the WebAssembly virtual machine.
Learn how to analyze statically and dynamically real-life WASM modules.
Discover how to hack video games running on your browsers using WebAssembly.
Learn how to find vulnerabilities inside WebAssembly module and how to exploit them.
Study and analyze the module validation mechanism to bypass it.
Learn how to apply mutation, grammar and evolutionary fuzzing on WebAssembly VM.
Discover how WebAssembly can help you in your day-to-day security work.
Who Should Attend
This class is meant for everyone that want to understand deeper how WebAssembly works such as: malware analysts dealing with cryptominers, professional pentester planning to audit WebAssembly module, developers or students looking to add WebAssembly in their skill-sets, blockchain auditors auditing EOS or Ethereum 2.0 smart contracts and finally vulnerability researchers looking for new targets (like web-browsers) will benefit from this course.
Course Agenda
Day 1: WebAssembly Reversing
Introduction to WebAssembly
WebAssembly VM architecture and toolchains
Writing examples in C/C++/Rust/C#
Module debugging
WASM binary format (header, sections, etc.)
WebAssembly Text Format (wat/wast)
WebAssembly Instructions set
Writing examples using WASM Text format
Reversing WebAssembly module
CFG and CallGraph reconstruction
DataFlowGraph analysis
Day 2: Analysis of real-life WASM modules
Modules Instructions analytics/metrics
WebAssembly cryptominers analysis
Pattern detection signatures (YARA rules, etc.)
Taint Tracking
Dynamic Binary Instrumentation
Bytecode (De)-Obfuscation techniques
Static Single Assignment and Decompilation
Real-life WASM module analysis
WebAssembly video game hacking
Day 3: WebAssembly Modules Vulnerabilities
Traps and Exception handling
WebAssembly module vulnerabilities
Integer/Stack/Heap Overflows
Advanced vulnerabilities (UaF, TOCTOU)
CFI Hijacking
Emscripten vulnerabilities
Exploiting NodeJS server running WASM module
Vulnerability detection (Static and Dynamic)
Lifting WASM bytecode
Fuzzing WebAssembly modules
Day 4: Vulnerability Research inside WebAssembly VM
Web-Browsers vulnerabilities analysis (CVEs PoC)
WebAssembly VM and Interpreter vulnerabilities
WebAssembly JS APIs generation
Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
WASM module validation mechanism
Writing edge case modules
WAT, WAST & WASM generation using grammars
Interesting VM targets (kernel, blockchain, etc.)
Fuzzing C/C++/Rust/Go based WebAssembly projects
WebAssembly applied for Security Researcher toolings
In-memory fuzzing everything using WebAssembly and Frida
Hardware Requirements
A notebook capable of running virtual machines.
Enough hard disk space to run VM
Software Requirements
VirtualBox
Administrator / root access required.
IDA helpful, but not required.
Included Course Materials
Course materials in PDFs
Virtual machine image
All required additional files: source code, documentation, installation binaries