WebAssembly Module Reverse Engineering and Analysis

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the "game changer for the web".

WebAssembly start to be used everywhere (not exhaustive):

• Web-browsers (Desktop & Mobile)
• For Cryptojacking (Coinhive, Cryptoloot, ...)
• Nodejs servers
• Cloudflare workers
• Video games (Unity, UE4)
• Blockchain platforms (EOS/ETH)
• Linux Kernel (Cervus, Nebulet)
• ...

This courses will give you all the prerequisites to understand WebAssembly module and it’s virtual machine model. At the end of this intensive 4 days, you will learn which security measures are implemented by WebAssembly VM to validate and handle exceptions. You will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerability insides. Finally, you will discover how to do vulnerability research and fuzzing on those VM.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class. Hope you will like it !!

Intended audience

This class is intended for everyone with a basis of reverse engineering and that want to understand how WebAssembly module works such as:

• Malware analysts dealing with detection signatures.
• Developpers that start using WebAssembly.
• Pentester planning to audit WebAssembly module.
• Security researchers looking for new targets.
• Smart contract auditors.

Class Outline

Day 1

• Introduction to WebAssembly
• WebAssembly VM architecture (memory, stack, variables, ...)
• WebAssembly toolchain (emscripten, ...)
• Writing examples in C/C++/Rust/C#
• Debugging WebAssembly module
• WASM binary format (header, sections, ...)
• WebAssembly Instructions set
• Introduction to WebAssembly Text Format (wat/wast)
• Writing examples using WASM Text format
• Reversing WebAssembly bytecode

Day 2

• Control Flow Graph reconstruction
• Call Flow Graph reconstruction
• Real-life WASM module analysis
• Bytecode (De)-Obfuscation techniques
• WebAssembly functions Emulation
• Pattern detection signatures (YARA rules, ...)
• Taint Tracking
• Dynamic Binary Instrumentation
• Static Single Assignment & Decompilation
• WASM cryptominers analysis

Day 3

• WebAssembly module vulnerabilities
• Integer/Buffer/Heap Overflow
• Advanced vulnerabilities (UaF, ...)
• Vulnerability detection (Static & Dynamic)
• CFI Hijacking inside wasm module
• Traps & Exception handling
• Exploitation NodeJS server running wasm module

Day 4

• Fuzzing WebAssembly module functions
• Lifting WASM bytecode
• WebAssembly VM & Interpreter vulnerabilities
• WASM module validation mechanism
• Vulnerability analysis (CVEs PoC)
• Writing edge case module
• WAST & WASM grammar generation
• Interesting VM targets (kernel, blockchain, ...)
• Fuzzing WASM VM & Interpreter

CLASS REQUIREMENTS

Prerequisites

• Basic reverse engineering skills
• Familiarity with scripting languages (Shell, Python).
• Working knowledge of shell scripts, cmd scripts or Python.
• Comfortable with C/C++ or Rust programming.
• SKILL LEVEL: BEGINNER / INTERMEDIATE

Hardware

• A notebook capable of running virtual machines.
• Ideally Linux OS or (at least) a fonctionnal Linux VM.
• Enough hard disk space to run VMs

Minimum Software to Install

• Both Google chrome & Firefox web-browsers
• Virtual machine (VirtualBox preferred)
• Administrator / root access required.
• IDA/Hexrays helpful, but not required.