Training @ RECON Montreal 2019: WebAssembly Module Reverse Engineering and Analysis

Date: 24 – 27 June 2019 / details / registration

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web”.

WebAssembly start to be used everywhere (not exhaustive):

  • Web-browsers (Desktop & Mobile)
  • For Cryptojacking (Coinhive, Cryptoloot, …)
  • Nodejs servers
  • Cloudflare workers
  • Video games (Unity, UE4)
  • Blockchain platforms (EOS/ETH)
  • Linux Kernel (Cervus, Nebulet)

This courses will give you all the prerequisites to understand WebAssembly module and it’s virtual machine model. At the end of this intensive 4 days, you will learn which security measures are implemented by WebAssembly VM to validate and handle exceptions. You will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerability insides. Finally, you will discover how to do vulnerability research and fuzzing on those VM.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class. Hope you will like it !!

Class Outline

Day 1

  • Introduction to WebAssembly
  • WebAssembly VM architecture (memory, stack, variables, …)
  • WebAssembly toolchain (emscripten, …)
  • Writing examples in C/C++/Rust/C#
  • Debugging WebAssembly module
  • WASM binary format (header, sections, …)
  • WebAssembly Instructions set
  • Introduction to WebAssembly Text Format (wat/wast)
  • Writing examples using WASM Text format
  • Reversing WebAssembly bytecode

Day 2

  • Control Flow Graph reconstruction
  • Call Flow Graph reconstruction
  • Real-life WASM module analysis
  • Bytecode (De)-Obfuscation techniques
  • WebAssembly functions Emulation
  • Pattern detection signatures (YARA rules, …)
  • Taint Tracking
  • Dynamic Binary Instrumentation
  • Static Single Assignment & Decompilation
  • WASM cryptominers analysis

Day 3

  • WebAssembly module vulnerabilities
  • Integer/Buffer/Heap Overflow
  • Advanced vulnerabilities (UaF, …)
  • Vulnerability detection (Static & Dynamic)
  • CFI Hijacking inside wasm module
  • Traps & Exception handling
  • Exploitation NodeJS server running wasm module

Day 4

  • Fuzzing WebAssembly module functions
  • Lifting WASM bytecode
  • WebAssembly VM & Interpreter vulnerabilities
  • WASM module validation mechanism
  • Vulnerability analysis (CVEs PoC)
  • Writing edge case module
  • WAST & WASM grammar generation
  • Interesting VM targets (kernel, blockchain, …)
  • Fuzzing WASM VM & Interpreter

link / registration