A Journey Into Fuzzing WebAssembly Virtual Machines

The presentation discusses the process of fuzzing web assembly modules and finding logic bugs in production software.

• The speaker's main goal was to provide a corporate containing web assembly modules to be mutated by a fuzzer and monitored for coverage
• The speaker used AFL and AFL plus Blues for coverage-guided fuzzing and in-process fuzzing for faster results
• The speaker reused the corporate between all targets and added all crashes to the global corpora
• The speaker found critical vulnerabilities in web assembly modules, particularly in browsers, using grammar-based fuzzing
• The presentation emphasizes the importance of finding logic bugs in production software

The speaker found a logic bug in a web assembly module used as a smart contract in a blockchain, which could result in different outcomes between clients and is a critical vulnerability

Since the MVP release in 2017, WebAssembly evolve gradually, bringing new adepts and new VM implementations over time. It's now possible to run WebAssembly modules over every modern browser, in some blockchain, or using a standalone VM.In the same way that multiple JavaScript engines are available, there is now a bunch of different WebAssembly VM with their own runtime engines. Their implementation can be totally different, starting from simple bytecode interpretation to complex JIT and AOT compilation. This diversity also exists in the programming language chosen for VM development, impacting directly the internal security of each part of the virtual machine.During this talk, we will introduce what is WebAssembly, dive deeper into WebAssembly VM architecture, identify the attack surface and explain our fuzzing strategy to target each different VM component, from module parsing to runtime execution engine. Also, since we are not targeting only one implementation, we will maximize our success rate by using different fuzzing frameworks and techniques such as coverage-guided, structural, and differential fuzzing.This journey leads us to the discovery of more than 50 bugs/vulnerabilities across a dozen of C/C++/Rust projects. We will conclude with a global result overview with a focus on some concrete impactful vulnerabilities.