Back to the Low-Level: WebAssembly file infection and structure

Daniel (Jinyoung) Choi, AVIRA

WebAssembly(WASM) aims to be faster, safer than JavaScript, and to operate in various environments. In comparison with NaCL, asm.js which are similar technology to WASM, the number of search words related to WASM has been growing rapidly since 2017. The official version is currently 1.0 and is at the W3Cworking draft level. And a variety of techniques are being developed and applied quickly. In particular with developers from Chrome, EDGE, Firefox, and Safari, a major developer, working in the lead, most browsers are quick to support the technology. With the exception of Asia areas with special environments (Korea, India and China), more than 70% of the webs being used are already supported.

Codes written in various programming languages are compiled into intermediate codes and then converted to WASM. Currently, C/C++ and Rust are a notable example. And more than 30 other languages are being worked. Python, Java, C#, etc. are notable examples being worked on and tested. WASM works on the JavaScript engine of the browser. In other words, the process of executing JavaScript codes after parsing and compiling them in the browser has been reduced. Therefore, the speed has increased by running them right away.

In terms of security, the WASM codes work in a sandbox and are not directly accessible to DOM and hardware of the browser. However, it is designed to be capable to communicate with JavaScript using a function declared import/export. Therefore, works that require speed are done in the WASM, and works related to browser DOM, UI are done in JavaScript.

WASM has simply designed the file structure and instruction. The basic instructions are stack-based, the memories consist of arrays, and the functions are accessible by the index. Errors that take place unexpectedly in the compiled codes are dealt with in the sandbox. The sandbox handles and stops them, so the codes are safely executed.

The WASM project offers various tools, and with them, compile/decompile and file information can be identified. Let’s learn about the static code modification and the dynamic code modification using the file infection of virus with these tools. Also learn about the threats hidden behind these various technologies.

Daniel(Jinyoung), Choi

I have been working with Avira as a malware analyst and engine developer within the engine team since 2010.
My main responsibilities include Web/Non-PE based malware analysis and better detection
My field of interest are malware technique research, reverse engineering.
I like to solve a puzzle made by attacker.

Before joining Avira, I was a senior engine developer and also malware analyst at AhnLab. I learned a lot of experience there.

Personally, I like travelling, meeting new/different culture people.

The Dynamic Security Ecosystem
Other Topics