Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The load8_s instruction will check that the computed offset into the memory of size 64KB (1 wasm page) does not index past the bounds of 64KB. If it does, the program will trap.


Which will not work on the provided example, thus leading to memory corruption.

Where is the WebAssembly implementation that traps on my example?


WebAssembly protects the host from memory corruption by the user module. To do this it does a bounds check before executing the load. It does not protect a user module from itself. It does not change the semantics of C.

Relevant documentation http://webassembly.github.io/spec/core/syntax/instructions.h...


> It does not protect a user module from itself. It does not change the semantics of C.

Which is my whole point, WebAssembly does not protect memory corruption inside of the module code, which allows for security exploits anyway.

On my sample code if I expose func() to the host, and it gets called with 200 as parameter for a buffer size of 100 bytes, no trap will ocurr.

On a real use case that call might induce an internal memory corruption that will, for example, change the behavior of other functions exposed to the host.

If you wish I can provide an example how to do that, which you can try out in your favorite spec compliant Web Assembly implementation.


Current WASM spec is a MVP. There will be other ways to expose functionality to the host that should be safer. See future proposals. Your points are valid though.


How is this relevant to wasmjit? User space programs written in C can already corrupt themselves. As far as I can tell there is no new inherent risk to kernel stability by running wasm code in kernel space as long as the wasm spec is followed. Just like wasm programs aren't able to corrupt the browser sandbox in which they run.


The sandbox gives a false sense of security, because it opens a new attack vector.

Apparently you fail to understand how security exploits are taken.

For example, lets say I have an authentication module provided as WebAssembly, written in C.

The browser makes use of the said WebAssembly module to authenticate the user.

Now we make a cross site scripting attack that calls the WebAssembly functions in a sequence that triggers memory corruption inside of the module, thus influencing how the authentication functions work.

Afterwards the JavaScript functions that call those WebAssembly ones, might authenticate a bad user that would otherwise be denied access.

A contrived scenario that can be easily programmed in https://webassembly.studio/ .


I'm still not sure how this is relevant to wasmjit?

Your criticism is for another layer. If you don't like C, use Rust or Go. They also compile to wasm.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: