A Journey Into Fuzzing WebAssembly Virtual Machines [BlackHat USA 2022]

Since the MVP release in 2017, WebAssembly evolve gradually, bringing new adepts and new VM implementations over time. It’s now possible to run WebAssembly modules over every modern browser, in some blockchain, or using a standalone VM.

In the same way that multiple JavaScript engines are available, there is now a bunch of different WebAssembly VM with their own runtime engines. Their implementation can be totally different, starting from simple bytecode interpretation to complex JIT and AOT compilation. This diversity also exists in the programming language chosen for VM development, impacting directly the internal security of each part of the virtual machine.

During this talk, we will introduce what is WebAssembly, dive deeper into WebAssembly VM architecture, identify the attack surface and explain our fuzzing strategy to target each different VM component, from module parsing to runtime execution engine. Also, since we are not targeting only one implementation, we will maximize our success rate by using different fuzzing frameworks and techniques such as coverage-guided, structural, and differential fuzzing.

This journey leads us to the discovery of more than 50 bugs/vulnerabilities across a dozen of C/C++/Rust projects. We will conclude with a global result overview with a focus on some concrete impactful vulnerabilities.