WebAssembly and Security: a review
Gaetano Perrone, Simon Pietro Romano
TL;DR
This review analyzes $121$ WebAssembly security papers, classifying $96$ into seven categories and detailing $25$ supplementary works to map the Wasm security landscape. It shows that despite Wasm’s sandboxing and isolation goals, memory-safety and compiler/runtime security gaps persist, especially when porting unsafe languages like $C$/$C++$; empirical studies reveal ongoing crypto-mining activity and memory-unsafe prevalence among binaries. The survey covers security analyses, empirical studies, vulnerability discovery, attack scenarios, detection approaches, and security enhancements, across browser, cloud/edge, IoT, and blockchain domains, including TEEs and privacy-focused use cases. It also identifies gaps such as reliance on retired benchmarks (Alexa), inconsistent evaluation metrics, and limited study of languages beyond C/C++, calling for expanded cyber-range use cases and broader language coverage to strengthen Wasm security foundations. Overall, the work provides a comprehensive, actionable map of Wasm security research and highlights avenues for future work to improve resilience and trust in Wasm-enabled systems.
Abstract
WebAssembly is revolutionizing the approach to developing modern applications. Although this technology was born to create portable and performant modules in web browsers, currently, its capabilities are extensively exploited in multiple and heterogeneous use-case scenarios. With the extensive effort of the community, new toolkits make the use of this technology more suitable for real-world applications. In this context, it is crucial to study the liaisons between the WebAssembly ecosystem and software security. Indeed, WebAssembly can be a medium for improving the security of a system, but it can also be exploited to evade detection systems or for performing cryptomining activities. In addition, programs developed in low-level languages such as C can be compiled in WebAssembly binaries, and it is interesting to evaluate the security impacts of executing programs vulnerable to attacks against memory in the WebAssembly sandboxed environment. Also, WebAssembly has been designed to provide a secure and isolated environment, but such capabilities should be assessed in order to analyze their weaknesses and propose new mechanisms for addressing them. Although some research works have provided surveys of the most relevant solutions aimed at discovering WebAssembly vulnerabilities or detecting attacks, at the time of writing, there is no comprehensive review of security-related literature in the WebAssembly ecosystem. We aim to fill this gap by proposing a comprehensive review of research works dealing with security in WebAssembly. We analyze 121 papers by identifying seven different security categories. We hope that our work will provide insights into the complex landscape of WebAssembly and guide researchers, developers, and security professionals towards novel avenues in the realm of the WebAssembly ecosystem.