Vulnerability research | Fuzzing | Reversing | WebAssembly | Ethereum
2020/03/03 @ EthCC 2020
In this talk, I briefly introduce WebAssembly concepts , Ewasm specificity and opcodes/instructions. Secondly, I show how to create Ewasm smart contract and expose different techniques/tools to perform WebAssembly module closed-source analysis. Finally, we go through some basic examples to apply reversing (reverse engineering) on those Ewasm contracts and understand the logic inside.
2020/02/18 @ wasmer medium
In the last months I’ve been working developing fuzzing targets to find bugs and create patches for the Wasmer WebAssembly runtime.
In this post we will learn what is fuzzing, why it is important for WebAssembly runtimes and what kind of bugs fuzzing helped to detect.
2020/01/30 @ webassembly-security.com
In this short blogpost, I will first introduce jsfuzz, a coverage-guided fuzzer for javascript/nodejs packages. Then, I’ll discuss about the wasm binary parsing library I decided to target. Finally, I’ll explain how to create a jsfuzz target script and show the OOM/DoS crash I found.
2020/01/09 @ webassembly-security.com
In this blogpost, I will first detailed WebAssembly Javascript APIs supported by major browsers. Then, I’ll explains how to use Dharma to generate valid Javascript file to fuzz WebAssembly APIs. Finally, I’ll show an easy way to execute those generated testcases over ASAN build of Chrome/V8.
2019/11/20 @ webassembly-security.com
In this blogpost, I will first explain the WebAssembly binary format and its sections. Then, I’ll demonstrate how to create a valid polyglot wasm module that contain an html/js payload embedded using 2 different techniques. Finally, I’ll give you the link to the github repository if you want to try on your own and learn more about WebAssembly
2019/10/22 @ Hack.lu 2019
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose how to analyze a WebAssembly module using different techniques (static & dynamic) as well as some open-source tools that make you the life easier (Octopus, Wasabi, …). Finally, we will hands-on with simple examples/crackmes and finally go throws the analysis of cryptominers.
The following point will be discussed in this workshop.
link / slides / repository
2019/07/16 @ webassembly-security.com
Is WebAssembly already used in the wild?
The answer is of course YES and some WebAssembly modules are potentially running right now in your browser if you are using Google web services. Recently, Google was using WebAssembly for the beta version of Google Earth but also in production for services like Google Keep.
2019/06/17 @ FIRST conference 2019
More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.
First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.
2019/05/21 @ Northsec 2019
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (Octopus, Wasabi, …) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module.
Along the talk, I will only used open source tools.
link / slides (not yet) / repository
2019/02/18 @ EthCC 2019
At Devcon4, Vitalik annonced that WebAssembly (wasm) will be part of Ethereum 2.0 (Serenity). It’s already possible to compile smart contracts to wasm modules and run them in the Kovan network.
Using WebAssembly smart contract doesn’t mean using secure smart contract.
In this talk, I will explain what’s inside a WebAssembly module and illustrate how to analyze wasm Ethereum smart contracts to find vulnerabilities and unoptimization.