Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

WASM-MUTATE: Fast and Effective Binary Diversification for WebAssembly

Javier Cabrera-Arteaga, Nicholas Fitzgerald, Martin Monperrus, Benoit Baudry

TL;DR

WASM-MUTATE presents a fast, language-agnostic engine for WebAssembly diversification that preserves semantics while producing thousands of variants. It leverages e-graphs and a large set of rewriting rules to generate functionally equivalent code paths, enabling rapid real-time diversification and defense against timing side-channel attacks such as Spectre. Empirical results show near-complete diversification across a sizable corpus, substantial variance in machine-code size and runtime traces, and meaningful reductions in attack bandwidth for several Spectre variants. The work demonstrates practical applicability for fuzzing, defense, and malware evasion mitigation, while providing an open-source implementation for reproducibility and future research.

Abstract

WebAssembly is the fourth officially endorsed Web language. It is recognized because of its efficiency and design, focused on security. Yet, its swiftly expanding ecosystem lacks robust software diversification systems. We introduce WASM-MUTATE, a diversification engine specifically designed for WebAssembly. Our engine meets several essential criteria: 1) To quickly generate functionally identical, yet behaviorally diverse, WebAssembly variants, 2) To be universally applicable to any WebAssembly program, irrespective of the source programming language, and 3) Generated variants should counter side-channels. By leveraging an e-graph data structure, WASM-MUTATE is implemented to meet both speed and efficacy. We evaluate WASM-MUTATE by conducting experiments on 404 programs, which include real-world applications. Our results highlight that WASM-MUTATE can produce tens of thousands of unique and efficient WebAssembly variants within minutes. Significantly, WASM-MUTATE can safeguard WebAssembly binaries against timing side-channel attacks,especially those of the Spectre type.

WASM-MUTATE: Fast and Effective Binary Diversification for WebAssembly

TL;DR

WASM-MUTATE presents a fast, language-agnostic engine for WebAssembly diversification that preserves semantics while producing thousands of variants. It leverages e-graphs and a large set of rewriting rules to generate functionally equivalent code paths, enabling rapid real-time diversification and defense against timing side-channel attacks such as Spectre. Empirical results show near-complete diversification across a sizable corpus, substantial variance in machine-code size and runtime traces, and meaningful reductions in attack bandwidth for several Spectre variants. The work demonstrates practical applicability for fuzzing, defense, and malware evasion mitigation, while providing an open-source implementation for reproducibility and future research.

Abstract

WebAssembly is the fourth officially endorsed Web language. It is recognized because of its efficiency and design, focused on security. Yet, its swiftly expanding ecosystem lacks robust software diversification systems. We introduce WASM-MUTATE, a diversification engine specifically designed for WebAssembly. Our engine meets several essential criteria: 1) To quickly generate functionally identical, yet behaviorally diverse, WebAssembly variants, 2) To be universally applicable to any WebAssembly program, irrespective of the source programming language, and 3) Generated variants should counter side-channels. By leveraging an e-graph data structure, WASM-MUTATE is implemented to meet both speed and efficacy. We evaluate WASM-MUTATE by conducting experiments on 404 programs, which include real-world applications. Our results highlight that WASM-MUTATE can produce tens of thousands of unique and efficient WebAssembly variants within minutes. Significantly, WASM-MUTATE can safeguard WebAssembly binaries against timing side-channel attacks,especially those of the Spectre type.
Paper Structure (24 sections, 5 equations, 10 figures, 1 table, 1 algorithm)

This paper contains 24 sections, 5 equations, 10 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. WebAssembly
  4. Rewriting rules
  5. Design of Wasm-Mutate
  6. Overview
  7. WebAssembly Rewriting Rules
  8. E-graphs for WebAssembly
  9. Wasm-Mutate in the loop
  10. Implementation
  11. Evaluation
  12. Corpora
  13. Protocol for RQ1
  14. Protocol for RQ2
  15. Protocol for \ref{['rq:performance']}
  16. ...and 9 more sections

Figures (10)

  • Figure 1: Wasm-Mutate high-level architecture. It generates semantically equivalent variants from a given WebAssembly binary input. Its central approach involves synthesizing these variants by substituting parts of the original binary using rewriting rules, boosted by diversification space traversals using e-graphs(refer to \ref{['alg']}).
  • Figure 2: e-graph for idempotent bitwise-or rewriting rule. Solid lines represent operand-operator relations, and dashed lines represent equivalent class inclusion.
  • Figure 3: e-graph built for rewriting the first instruction of \ref{['example:peeporig']}.
  • Figure 4: Protocol to answer \ref{['rq:static']} and \ref{['rq:dynamic']}
  • Figure 5: RQ1: Number of unique WebAssembly programs generated by Wasm-Mutate in 1 hour for each program of the corpus.
  • ...and 5 more figures