Workshop @ Hack.lu 2019: Reversing WebAssembly Module 101


2019/10/22 @ Hack.lu 2019

In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose how to analyze a WebAssembly module using different techniques (static & dynamic) as well as some open-source tools that make you the life easier (Octopus, Wasabi, …). Finally, we will hands-on with simple examples/crackmes and finally go throws the analysis of cryptominers.

The following point will be discussed in this workshop.

  1. Introduction
  2. WebAssembly Basics
  3. WebAssembly Runtime VM
  4. Module dissection
  5. Reversing wasm module
  6. Dynamic analysis
  7. Cryptominers
  8. Conclusion

link / slides / repository

Talk @ FIRST 2019: Analyze & Detect WebAssembly Cryptominer


2019/06/17 @ FIRST conference 2019

More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.

First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.

  1. Introduction
  2. WebAssembly Basics
  3. Module dissection
  4. Program analysis
  5. WebAssembly Cryptominers
  6. Analysis (Coinhive & Cryptoloot)
  7. Cryptominers detection
  8. Conclusion

link / slides

Workshop @ Northsec 2019: Reversing WebAssembly Module 101


2019/05/21 @ Northsec 2019

In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (OctopusWasabi, …) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module.

Along the talk, I will only used open source tools.

  1. Introduction
  2. WebAssembly Basics
  3. WebAssembly Runtime VM
  4. WebAssembly VM internals
  5. Module dissection
  6. Program analysis
  7. Wasabi
  8. Cryptominers
  9. Firefox addons analysis
  10. Conclusion

link / slides (not yet) / repository

Talk @ ToorCon XX – 2018: Dissection of WebAssembly module

 

toorcon webassembly wasm patrick ventuzelo reversing analysis ethereum evm


2018/09/15 @ ToorCon XX – 2018

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web“. More than one year after the “official” release, it is not only used “for the web” by web browsers but also in some (huge) other projects like Blockchain Smart Contract platforms (EOS and Ethereum).

I will first introduce WebAssembly concepts and who currently used it in the wild. Secondly, I will show different WebAssembly VM available and explain the security measures implemented into it. Finally, I will show you, throw real life WASM modules, how to do static analysis, using techniques such as reversing, control flow and calls flow analysis, to understand deeper its behaviors. Along the talk, I will used multiple open source tools but mainly the one that I have developed and that is already available on Github (Octopus).


link / slides / video