Hanwen Lei
ABSTRACT
Memory corruption vulnerabilities can have more serious consequences in WebAssembly than in native applications. Therefore, we present \tool, the first WebAssembly runtime with memory isolation. Our insight is to use MPK hardware for efficient memory protection in WebAssembly. However, MPK and WebAssembly have different memory models: MPK protects virtual memory pages, while WebAssembly uses linear memory that has no pages. Mapping MPK APIs to WebAssembly causes memory bloating and low running efficiency. To solve this, we propose \acfdilm, which protects linear memory at function-level granularity. We implemented \acdilm into the official WebAssembly runtime to build \tool. Our evaluation shows that \tool can prevent memory corruption in real projects with a 1.77% average overhead and negligible memory cost.
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS '05). Association for Computing Machinery, New York, NY, USA, 340--353. https://doi.org/10.1145/1102120.1102165Google Scholar
Digital Library
- Bytecode Alliance. 2016. Web Asssembly Design - Security - Memory Safety. https://github.com/WebAssembly/design/blob/master/Security.md#memory-safety Retrieved April 12, 2023 fromGoogle Scholar
- Bytecode Alliance. 2023 a. Cranelift. https://github.com/bytecodealliance/wasmtime/tree/main/craneliftGoogle Scholar
- Bytecode Alliance. 2023 b. Cranelift Document. https://github.com/bytecodealliance/wasmtime/blob/main/cranelift/docs/index.mdGoogle Scholar
- ARM. 2001. ARM Developer Suite Developer Guide. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0056d/BABBJAED.htmlGoogle Scholar
- OpenSSL Project Authors. 2021. OpenSSL. https://www.openssl.org/Google Scholar
- Nataliia Bielova. 2013. Survey on JavaScript security policies and their enforcement mechanisms in a web browser. The Journal of Logic and Algebraic Programming, Vol. 82, 8 (2013), 243--262.Google ScholarCross Ref
- Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting Applications into Reduced-Privilege Compartments. In 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI 08). USENIX Association, San Francisco, CA, 309--322.Google Scholar
- Zack Bloom. 2020. Cloud Computing without Containers. https://blog.cloudflare.com/cloud-computing-without-containers/Google Scholar
- bzip2 and libbzip2. 2022. https://www.sourceware.org/bzip2Google Scholar
- GNU Chess. 2022. https://www.gnu.org/software/chessGoogle Scholar
- Bart Coppens, Ingrid Verbauwhede, Koen De Bosschere, and Bjorn De Sutter. 2009. Practical Mitigations for Timing-Based Side-Channel Attacks on Modern X86 Processors. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (SP '09). IEEE Computer Society, USA, 45--60. https://doi.org/10.1109/SP.2009.19Google ScholarDigital Library
- Intel Corporation. 2000. Intel IA-64 architecture software developer's manual, revision 1.1.Google Scholar
- Intel Corporation. 2016. Intel(R) 64 and IA-32 Architectures Software Developer's Manual. https://software.intel.com/en-us/articles/intel-sdmGoogle Scholar
- Intel Corporation. 2017a. Intel Software Guard Extensions (Intel SGX) SDK. https://software.intel.com/sgx-sdkGoogle Scholar
- IBM Corporation. 2017b. Power ISA version 3.0b.Google Scholar
- The MITRE Corporation. 2018a. CVE-2018-14498. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498Google Scholar
- The MITRE Corporation. 2018b. CVE-2018--19664. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19664Google Scholar
- The MITRE Corporation. 2021. CVE-2021-46822. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46822Google Scholar
- Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7 (San Antonio, Texas) (SSYM'98). USENIX Association, USA, 5.Google ScholarDigital Library
- NATIONAL VULNERABILITY DATABASE. 2022. CVE-2022-32324. https://nvd.nist.gov/vuln/detail/CVE-2022-32324Google Scholar
- Úlfar Erlingsson, Silicon Valley, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. 2006. XFI: Software Guards for System Address Spaces. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7 (Seattle, WA) (OSDI '06). USENIX Association, USA, 6.Google Scholar
- eSpeak text to speech. 2022. http://espeak.sourceforge.netGoogle Scholar
- Tommaso Frassetto, Patrick Jauernig, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2018. IMIX: In-Process Memory Isolation Extension. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC'18). USENIX Association, USA, 83--97.Google Scholar
- Andrew Gallant. 2023. ripgrep. https://github.com/BurntSushi/ripgrepGoogle Scholar
- Adrien Ghosn, Marios Kogias, Mathias Payer, James R. Larus, and Edouard Bugnion. 2021. Enclosure: Language-Based Restriction of Untrusted Libraries. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (Virtual, USA) (ASPLOS '21). Association for Computing Machinery, New York, NY, USA, 255--267. https://doi.org/10.1145/3445814.3446728Google ScholarDigital Library
- GNU. 2016. Coreutils. https://www.gnu.org/software/coreutils/coreutils.htmlGoogle Scholar
- Li Gong. 2009. Java security: a ten year retrospective. In 2009 Annual Computer Security Applications Conference. IEEE, 395--405.Google ScholarDigital Library
- Google. 2020. Chromium V8 isolates. https://chromium.googlesource.com/chromium/src//master/third_party/blink/renderer/bindings/core/v8/V8BindingDesign.md#IsolateGoogle Scholar
- Mel Gorman. 2023. Process Address Space. https://www.kernel.org/doc/gorman/html/understand/understand007.htmlGoogle Scholar
- Jinyu Gu, Hao Li, Wentai Li, Yubin Xia, and Haibo Chen. 2022. EPK: Scalable and Efficient Memory Protection Keys. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). USENIX Association, Carlsbad, CA, 609--624.Google Scholar
- M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. 2001. MiBench: A Free, Commercially Representative Embedded Benchmark Suite. In Proceedings of the Workload Characterization, 2001. WWC-4. 2001 IEEE International Workshop (WWC '01). IEEE Computer Society, USA, 3--14.Google ScholarDigital Library
- Andreas Haas, Andreas Rossberg, Derek L. Schuff, Ben L. Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and JF Bastien. 2017. Bringing the Web up to Speed with WebAssembly. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (Barcelona, Spain) (PLDI 2017). Association for Computing Machinery, New York, NY, USA, 185--200. https://doi.org/10.1145/3062341.3062363Google ScholarDigital Library
- Niranjan Hasabnis, Ashish Misra, and R. Sekar. 2012. Light-Weight Bounds Checking. In Proceedings of the Tenth International Symposium on Code Generation and Optimization (San Jose, California) (CGO '12). Association for Computing Machinery, New York, NY, USA, 135--144. https://doi.org/10.1145/2259016.2259034Google ScholarDigital Library
- Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L. Scott, Kai Shen, and Mike Marty. 2019. Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries. In Proceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference (Renton, WA, USA) (USENIX ATC '19). USENIX Association, USA, 489--503.Google Scholar
- Aaron Hilbig, Daniel Lehmann, and Michael Pradel. 2021. An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases. In Proceedings of the Web Conference 2021 (Ljubljana, Slovenia) (WWW '21). Association for Computing Machinery, New York, NY, USA, 2696--2708. https://doi.org/10.1145/3442381.3450138Google ScholarDigital Library
- JetStream2. 2022. https://browserbench.org/JetStreamGoogle Scholar
- The kernel development community. 2023. Memory Protection Keys. https://www.kernel.org/doc/html/latest/core-api/protection-keys.htmlGoogle Scholar
- Paul Kirth, Mitchel Dickerson, Stephen Crane, Per Larsen, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2022. PKRU-Safe: Automatically Locking down the Heap between Safe and Unsafe Languages. In Proceedings of the Seventeenth European Conference on Computer Systems (Rennes, France) (EuroSys '22). Association for Computing Machinery, New York, NY, USA, 132--148. https://doi.org/10.1145/3492321.3519582Google ScholarDigital Library
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 2019 IEEE Symposium on Security and Privacy (SP). 1--19. https://doi.org/10.1109/SP.2019.00002Google ScholarCross Ref
- Koen Koning, Xi Chen, Herbert Bos, Cristiano Giuffrida, and Elias Athanasopoulos. 2017. No Need to Hide: Protecting Safe Regions on Commodity Hardware. In Proceedings of the Twelfth European Conference on Computer Systems (Belgrade, Serbia) (EuroSys '17). Association for Computing Machinery, New York, NY, USA, 437--452. https://doi.org/10.1145/3064176.3064217Google ScholarDigital Library
- Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 147--163.Google Scholar
- Daniel Lehmann, Johannes Kinder, and Michael Pradel. 2020. Everything Old is New Again: Binary Security of WebAssembly. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, USA, 217--234. https://www.usenix.org/conference/usenixsecurity20/presentation/lehmannGoogle Scholar
- libfacedetection. 2022. https://github.com/ShiqiYu/libfacedetectionGoogle Scholar
- James Litton, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Deepak Garg, Bobby Bhattacharjee, and Peter Druschel. 2016. Light-Weight Contexts: An OS Abstraction for Safety and Performance. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 49--64. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/littonGoogle ScholarDigital Library
- Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting Memory Disclosure with Efficient Hypervisor-Enforced Intra-Domain Isolation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 1607--1619. https://doi.org/10.1145/2810103.2813690Google ScholarDigital Library
- Patrice Lopez. 2022. Pdfalto. https://github.com/kermitt2/pdfalto/issues/144Google Scholar
- mend.io. 2017. WHAT ARE THE MOST SECURE PROGRAMMING LANGUAGES? https://www.mend.io/most-secure-programming-languages/Google Scholar
- Alexandra E. Michael, Anitha Gollamudi, Jay Bosamiya, Evan Johnson, Aidan Denlinger, Craig Disselkoen, Conrad Watt, Bryan Parno, Marco Patrignani, Marco Vassena, and Deian Stefan. 2023. MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code. Proc. ACM Program. Lang., Vol. 7, POPL, Article 15 (jan 2023), 30 pages. https://doi.org/10.1145/3571208Google ScholarDigital Library
- MITRE. 2014. CVE-2014-0160. https://nvd.nist.gov/vuln/detail/CVE-2014-0160Google Scholar
- Lucian Mogosanu, Ashay Rane, and Nathan Dautenhahn. 2018. Microstache: A lightweight execution context for in-process safe region isolation. In Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10-12, 2018, Proceedings 21. Springer, 359--379.Google Scholar
- Kit Murdock, David Oswald, Flavio D. Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens. 2020. Plundervolt: Software-based Fault Injection Attacks against Intel SGX. In 2020 IEEE Symposium on Security and Privacy (SP). 1466--1482. https://doi.org/10.1109/SP40000.2020.00057Google ScholarCross Ref
- Nicholas Nethercote and Julian Seward. 2007. How to Shadow Every Byte of Memory Used by a Program. In Proceedings of the 3rd International Conference on Virtual Execution Environments (San Diego, California, USA) (VEE '07). Association for Computing Machinery, New York, NY, USA, 65--74. https://doi.org/10.1145/1254810.1254820Google ScholarDigital Library
- Hewlett Packard. 1994. PA-RISC 1.1 architecture and instruction set reference manual, third edition.Google Scholar
- Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. Libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In Proceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference (Renton, WA, USA) (USENIX ATC '19). USENIX Association, USA, 241--254.Google Scholar
- David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 936--952. https://www.usenix.org/conference/usenixsecurity22/presentation/schrammelGoogle Scholar
- David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. 2020. Donky: Domain Keys - Efficient in-Process Isolation for RISC-V and X86. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC'20). USENIX Association, USA, Article 95, 18 pages.Google Scholar
- David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. 2010. Adapting Software Fault Isolation to Contemporary CPU Architectures. In Proceedings of the 19th USENIX Conference on Security (Washington, DC) (USENIX Security'10). USENIX Association, USA, 1.Google ScholarDigital Library
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference (Boston, MA) (USENIX ATC'12). USENIX Association, USA, 28.Google Scholar
- Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the X86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS '07). Association for Computing Machinery, New York, NY, USA, 552--561. https://doi.org/10.1145/1315245.1315313Google ScholarDigital Library
- Quentin Stiévenart, Coen De Roover, and Mohammad Ghafari. 2022. Security Risks of Porting C Programs to WebAssembly. In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing (Virtual Event) (SAC '22). Association for Computing Machinery, New York, NY, USA, 1713--1722. https://doi.org/10.1145/3477314.3507308Google ScholarDigital Library
- Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravindran. 2020. Intra-Unikernel Isolation with Intel Memory Protection Keys. In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (Lausanne, Switzerland) (VEE '20). Association for Computing Machinery, New York, NY, USA, 143--156. https://doi.org/10.1145/3381052.3381326Google ScholarDigital Library
- PaX Team. 2002. PaX Address Space Layout Randomization (ASLR). https://pax.grsecurity.net/docs/aslr.txtGoogle Scholar
- Stephen Turner. 2014. Security vulnerabilities of the top ten programming languages: C, Java, C, Objective-C, C#, PHP, Visual Basic, Python, Perl, and Ruby. Journal of Technology Research, Vol. 5 (2014), 1.Google Scholar
- Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure, Efficient in-Process Isolation with Protection Keys (MPK). In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC'19). USENIX Association, USA, 1221--1238.Google Scholar
- Lluïs Vilanova, Muli Ben-Yehuda, Nacho Navarro, Yoav Etsion, and Mateo Valero. 2014. CODOMs: Protecting Software with Code-Centric Memory Domains. In Proceeding of the 41st Annual International Symposium on Computer Architecuture (Minneapolis, Minnesota, USA) (ISCA '14). IEEE Press, 469--480.Google ScholarDigital Library
- Alexios Voulimeneas, Jonas Vinck, Ruben Mechelinck, and Stijn Volckaert. 2022a. You Shall Not (by)Pass! Practical, Secure, and Fast PKU-Based Sandboxing. In Proceedings of the Seventeenth European Conference on Computer Systems (Rennes, France) (EuroSys '22). Association for Computing Machinery, New York, NY, USA, 266--282. https://doi.org/10.1145/3492321.3519560Google ScholarDigital Library
- Alexios Voulimeneas, Jonas Vinck, Ruben Mechelinck, and Stijn Volckaert. 2022b. You Shall Not (by)Pass! Practical, Secure, and Fast PKU-Based Sandboxing. In Proceedings of the Seventeenth European Conference on Computer Systems (Rennes, France) (EuroSys '22). Association for Computing Machinery, New York, NY, USA, 266--282. https://doi.org/10.1145/3492321.3519560Google ScholarDigital Library
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-Based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles (Asheville, North Carolina, USA) (SOSP '93). Association for Computing Machinery, New York, NY, USA, 203--216. https://doi.org/10.1145/168619.168635Google ScholarDigital Library
- Wenwen Wang. 2022. How Far We've Come - A Characterization Study of Standalone WebAssembly Runtimes. In 2022 IEEE International Symposium on Workload Characterization (IISWC). USA, 228--241. https://doi.org/10.1109/IISWC55918.2022.00028Google ScholarCross Ref
- Xiaoguang Wang, Seng Ming Yeoh, Pierre Olivier, and Binoy Ravindran. 2020. Secure and Efficient In-Process Monitor (and Library) Protection with Intel MPK. In Proceedings of the 13th European Workshop on Systems Security (Heraklion, Greece) (EuroSec '20). Association for Computing Machinery, New York, NY, USA, 7--12. https://doi.org/10.1145/3380786.3391398Google ScholarDigital Library
- Wasmtime. 2020. A small and efficient runtime for WebAssembly & WASI. https://wasmtime.dev/Google Scholar
- Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP '15). IEEE Computer Society, USA, 20--37. https://doi.org/10.1109/SP.2015.9Google ScholarDigital Library
- Mario Werner, Thomas Unterluggauer, Lukas Giner, Michael Schwarz, Daniel Gruss, and Stefan Mangard. 2019. ScatterCache: Thwarting Cache Attacks via Cache Set Randomization. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 675--692.Google Scholar
- WhiteDB. 2022. http://whitedb.orgGoogle Scholar
- Emmett Witchel, Josh Cates, and Krste Asanović. 2002. Mondrian Memory Protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (San Jose, California) (ASPLOS X). Association for Computing Machinery, New York, NY, USA, 304--316. https://doi.org/10.1145/605397.605429Google ScholarDigital Library
- Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In 2009 30th IEEE Symposium on Security and Privacy. 79--93. https://doi.org/10.1109/SP.2009.25Google ScholarDigital Library
Index Terms
- Put Your Memory in Order: Efficient Domain-based Memory Isolation for WASM Applications
Recommendations
Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane
SOSR '18: Proceedings of the Symposium on SDN ResearchExisting software dataplanes that run network functions inside VMs or containers can provide either performance (by dedicating CPU cores) or multiplexing (by context switching), but not both at once. Function-based dataplane architectures by replacing ...
A durable and energy efficient main memory using phase change memory technology
ISCA '09: Proceedings of the 36th annual international symposium on Computer architectureUsing nonvolatile memories in memory hierarchy has been investigated to reduce its energy consumption because nonvolatile memories consume zero leakage power in memory cells. One of the difficulties is, however, that the endurance of most nonvolatile ...
Energy efficient Phase Change Memory based main memory for future high performance systems
IGCC '11: Proceedings of the 2011 International Green Computing Conference and WorkshopsPhase Change Memory (PCM) has recently attracted a lot of attention as a scalable alternative to DRAM for main memory systems. As the need for high-density memory increases, DRAM has proven to be less attractive from the point of view of scaling and ...
Comments