TECH

New WebAssembly memory layout could stop Heartbleed-style browser attacks with no visible slowdown

Modern web development increasingly requires complex applications running natively on the web, driving adoption of fast, efficient technologies like WebAssembly (WASM), now used by sites such as Figma and Google Earth.

Despite its strengths, WASM lacks common low-level protections (stack canaries, ASLR, safe unlinking), leaving buffer overflows and use-after-free exploitable for control-flow hijacking. While the WASM VM blocks some attacks, we show that these flaws can still cause classic web exploits, compromising the host.

Although WASM’s security model has been scrutinized over the years, little work maps low-level WASM bugs to web-layer attacks. Web security often targets high-level code, overlooking the impact of integrating compiled modules.

We show how unsafe WASM can introduce atypical web flaws that evade traditional analysis. We build PoC web services with intentionally vulnerable WASM modules to demonstrate how memory-safety bugs become high-impact attacks, including SQL injection and XS-Leaks.

For reproducibility, each PoC offers step-by-step instructions or a Python demo script. Modules are written in C and compiled with Emscripten to showcase classic exploitation; findings generalize to other unsafe languages (e.g., C++).

The primary contributions of this work are:

• We analyze memory/control-flow bugs (stack buffer overflows, use-after-free, integer overflows, format strings) and show how they enable web exploits (SQLi, SSTI, XS-Leaks), chosen for their historical weight (SQLi) or novelty in WASM (SSTI, XS-Leaks).

• We propose a reproducible methodology linking compiled-code flaws to web-layer impact, combining vulnerability selection, PoC building, exploit automation, and impact assessment.

• We create reproducible PoCs embedding vulnerable WASM modules that realize concrete exploits (e.g., SQL injection via buffer-overflowed queries), with minimal Node.js server/client code and Python scripts for independent checks.

• We publish all PoCs, scripts, and docker containers for full reproducibility

Google Earth, Zoom, Twitch.tv or Photoshop—thanks to the WebAssembly standard, many powerful applications now run directly in a browser without installation. However, some of these web apps have serious security vulnerabilities. Researchers from paluno—The Ruhr Institute for Software Technology at the University of Duisburg-Essen—have developed a solution to secure COTS applications by automatically reorganizing their memory.

Since 2019, WebAssembly (Wasm for short) has been a stable web standard designed to make complex desktop applications run in the browser. To make this possible, the original program code—often written in C or C++—is compiled into the Wasm binary format, which is supported by all major browsers.

There is a catch, however: If the code contains vulnerabilities, these are also transferred into the Wasm module during compilation. In C/C++, these are typically memory access errors such as buffer overflows. Hackers can exploit such vulnerabilities for so-called cross-site scripting attacks, injecting malicious code that users then unknowingly execute in their browsers.

Existing approaches to securing Wasm modules are hardly practical. Many require access to the application's source code, while others need special hardware or customized browser environments. The new solution developed by paluno researchers Oussama Draissi and Prof. Lucas Davi takes a different approach. They use Wasm's multi-memory feature to perform a one-time, fully automated memory reorganization of existing modules.

The restructuring is reminiscent of a Japanese bento box, in which different foods are neatly separated into individual compartments. The advantage: Isolating memory areas prevents, for example, HTML tags in one memory area from being overwritten by a buffer overflow in another.

For users, the restructuring of the modules comes with no noticeable drawbacks. They will notice neither longer loading times nor a significantly larger memory footprint.

The researchers tested the effectiveness of the bento approach using known security vulnerabilities, including the infamous Heartbleed bug.

"In extensive tests, we were able to demonstrate that our solution would have successfully defended against real-world attacks on widely used applications," explains Oussama Draissi.

Provided by University of Duisburg-Essen