PACSEC 2020 DOJO

Web Assembly Security

Instructor: Patrick Ventuzelo
November 10-13 (8am-12:30pm PST)

patrick2500.jpg
 

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in fuzzing, vulnerability research, reverse engineering and program analysis on WebAssembly, Rust and Golang targets.

Patrick is the author of Octopus, an open-source security analysis tool for WebAssembly and Blockchain smart contracts bytecode. He also develop WARF, an open-source fuzzing project to find bugs inside WebAssembly VMs/runtimes/parsers using multiple fuzzing techniques.

Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick is a regular speaker and trainer at various security conferences around the globe, including RingZer0, REcon Montreal/Brussels, ToorCon, hack.lu, NorthSec, SSTIC, FIRST, Microsoft DCC, BlackAlps, etc.

 

Course Schedule

November 10-13, 8am - 12:30 PST


Course Abstract

WebAssembly (WASM) is a new binary format currently developed and supported by all major web-browsers including Firefox, Chrome, Webkit/Safari and Microsoft Edge. This format has been designed to be "Efficient and fast", "Debuggable" and "Safe" and is often called the game changer for the web.

WebAssembly is beginning to be used everywhere and for everything

  • Web-browsers (Desktop & Mobile)

  • Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers)

  • Video games (Unity, UE4)

  • Blockchain platforms (EOS, Ethereum, Dfinity)

  • Cryptojacking (Coinhive, Cryptoloot)

  • Linux Kernel (Cervus, Nebulet)

  • ... and more

This course will give you all the prerequisites to understand what is a WebAssembly module and its associated runtime virtual machine. At the end of four intensive days, you will be able to statically and dynamically reverse a WebAssembly module, analyze its behavior, create specific detection rules and search for vulnerabilities. You will discover which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will search for vulnerabilities inside WebAssembly VMs (web browsers, standalone VM) using mutation and generation based fuzzing techniques. Students shall be presented with lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.

Course Pre-requisites

  • Basic knowledge of reverse engineering concepts.

  • Familiarity with scripting (Python, Bash).

  • Familiarity with C/C++ or Rust programming.

Course Learning Objectives

  • Learn what is WebAssembly and what’s inside a WebAssembly module.

  • Discover the architecture of the WebAssembly virtual machine.

  • Learn how to analyze statically and dynamically real-life WASM modules.

  • Discover how to hack video games running on your browsers using WebAssembly.

  • Learn how to find vulnerabilities inside WebAssembly module and how to exploit them.

  • Study and analyze the module validation mechanism to bypass it.

  • Learn how to apply mutation, grammar and evolutionary fuzzing on WebAssembly VM.

  • Discover how WebAssembly can help you in your day-to-day security work.

Who Should Attend

This class is meant for everyone that want to understand deeper how WebAssembly works such as: malware analysts dealing with cryptominers, professional pentester planning to audit WebAssembly module, developers or students looking to add WebAssembly in their skill-sets, blockchain auditors auditing EOS or Ethereum 2.0 smart contracts and finally vulnerability researchers looking for new targets (like web-browsers) will benefit from this course.

Course Agenda

Day 1: WebAssembly Reversing

  • Introduction to WebAssembly

  • WebAssembly VM architecture and toolchains

  • Writing examples in C/C++/Rust/C#

  • Module debugging

  • WASM binary format (header, sections, etc.)

  • WebAssembly Text Format (wat/wast)

  • WebAssembly Instructions set

  • Writing examples using WASM Text format

  • Reversing WebAssembly module

  • CFG and CallGraph reconstruction

  • DataFlowGraph analysis

Day 2: Analysis of real-life WASM modules

  • Modules Instructions analytics/metrics

  • WebAssembly cryptominers analysis

  • Pattern detection signatures (YARA rules, etc.)

  • Taint Tracking

  • Dynamic Binary Instrumentation

  • Bytecode (De)-Obfuscation techniques

  • Static Single Assignment and Decompilation

  • Real-life WASM module analysis

  • WebAssembly video game hacking

Day 3: WebAssembly Modules Vulnerabilities

  • Traps and Exception handling

  • WebAssembly module vulnerabilities

  • Integer/Stack/Heap Overflows

  • Advanced vulnerabilities (UaF, TOCTOU)

  • CFI Hijacking

  • Emscripten vulnerabilities

  • Exploiting NodeJS server running WASM module

  • Vulnerability detection (Static and Dynamic)

  • Lifting WASM bytecode

  • Fuzzing WebAssembly modules

Day 4: Vulnerability Research inside WebAssembly VM

  • Web-Browsers vulnerabilities analysis (CVEs PoC)

  • WebAssembly VM and Interpreter vulnerabilities

  • WebAssembly JS APIs generation

  • Fuzzing Web-Browsers (Chrome, Firefox, WebKit)

  • WASM module validation mechanism

  • Writing edge case modules

  • WAT, WAST & WASM generation using grammars

  • Interesting VM targets (kernel, blockchain, etc.)

  • Fuzzing C/C++/Rust/Go based WebAssembly projects

  • WebAssembly applied for Security Researcher toolings

  • In-memory fuzzing everything using WebAssembly and Frida

Hardware Requirements

  • A notebook capable of running virtual machines.

  • Enough hard disk space to run VM

Software Requirements

  • VirtualBox

  • Administrator / root access required.

  • IDA helpful, but not required.

Included Course Materials

  • Course materials in PDFs

  • Virtual machine image

  • All required additional files: source code, documentation, installation binaries


Previous
Previous

Rust Security Audit and Fuzzing