[FULL TRAINING] WebAssembly Security From Reversing to Vulnerability Research by Patrick Ventuzelo

[FULL TRAINING] WebAssembly Security From Reversing to Vulnerability Research

Learn how to reverse WebAssembly modules, analyze their behavior, perform dynamic analysis and find bugs inside both modules and VMs using fuzzing.
🚀 Sign up for the pre-launch !!

Course outline

WebAssembly (wasm) is a new binary format developed and supported by all major browsers including Firefox, Chrome, Safari and Microsoft Edge through the W3C. This new format have been designed to be efficient, fast, debuggable and safe.

WebAssembly is being used everywhere, for example:

  • Web-browsers (Desktop & Mobile)
  • Cryptojacking (Coinhive, Cryptoloot)
  • Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers)
  • Video games (Unity, UE4)
  • Blockchain platforms (EOS, Ethereum, Dfinity)
  • Linux Kernel (Cervus, Nebulet)
  • ... and more

This course will give you all the prerequisites to understand what is a WebAssembly module and its associated runtime virtual machine. At the end of four intensive days, you will be able to statically and dynamically reverse a WebAssembly module, analyze its behavior, create specific detection rules and search for vulnerabilities & security issues. You will discover which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will search for vulnerabilities inside WebAssembly VMs (web browsers, standalone VM) using mutation and generation based fuzzing techniques.

As part of this training, participants will be provided numerous hands-on exercises allowing them to internalize concepts and techniques taught in class.

Day 1: Basis of WebAssembly Reverse Engineering

In this course, you will focus on the basics of WebAssembly and its ecosystem. You will learn how to reverse-engineer and analyze real-life modules using both the binary format and the text representation. Also, you will have the opportunity to apply much of the theory in practice over small hands-on assignments to highlight aspects of working with WebAssembly.

Topics Covered during this Course
  • Introduction to WebAssembly ecosystem
  • WebAssembly compilation and toolchain
  • Instructions set and Debugging WebAssembly module
  • WebAssembly binary and Text Format
  • WebAssembly Module reversing
  • CFG & Call Graph reconstruction
  • Data Flow Graph analysis

Day 2: Dynamic WebAssembly Modules Analysis

This second day is more focus on Real World module analysis using both static and dynamic techniques. Students will analyze famous WebAssembly cryptominers and discover how to perform dynamic binary instrumentation of wasm module. Then, they will learn which anti-debugging and obfuscation techniques exist for WebAssembly and how to bypass them. Finally, student will hack some video games compiled to WebAssembly and create cheats.

Topics Covered during this Course
  • Modules Instructions analytics/metrics
  • Cryptominers analysis and Pattern detection signatures
  • Dynamic Binary Instrumentation
  • Bytecode (De)-Obfuscation techniques
  • Static Single Assignment & Decompilation
  • Hacking WebAssembly video game

Day 3: WebAssembly Module Audit and Fuzzing

This course focus on WebAssembly module audit and bug finding using fuzzing. You will first learn which kind of basic and advanced vulnerabilities can occurs during a WebAssembly module execution. You will discover some issues specific to emscripten APIs and exploit a NodeJS application to obtain remote code execution (RCE). Finally, you will try to find bugs inside WebAssembly modules using different fuzzing techniques. Over the course, you will apply much of the theory in practice over small real-life hands-on assignments.

Topics Covered during this Course
  • Traps & Exception handling
  • WebAssembly module vulnerabilities
  • Division by zero / Integer Overflow / Format string
  • Null pointer Dereference / Buffer Overflow / Buffer over-read
  • Heap Overflow / Use-after-free (UaF) / Uninitialized variable
  • Advanced vulnerabilities (CFI Hijacking / TOCTOU / Timing attacks)
  • Emscripten APIs & vulnerabilities 
  • Exploitation NodeJS server running wasm module
  • Vulnerability detection (Static & Dynamic)
  • Lifting WASM bytecode
  • Vulnerability research on WebAssembly module
  • Fuzzing WebAssembly modules 

Day 4: Fuzzing WebAssembly VMs

This course focus on finding bugs inside WebAssembly VMs and parsing libraries using different fuzzing techniques. You will first learn the main concepts behind fuzzing and how to apply them with simple targets like WebAssembly parsing libraries. Then, you will discover how to generate automatically JavaScript files using grammar-based fuzzing and WebAssembly module using structural-based fuzzing. Finally, you will try to fuzz Web-Browsers WebAssembly VMs and analyze existing CVEs. Over the course, you will apply much of the theory in practice over small real-life hands-on assignments.

Topics Covered during this Course
  • Fuzzing workflow and Corpus selection
  • Fuzzing C/C++/Rust/Go WASM project
  • WebAssembly VM & Interpreter vulnerabilities
  • WASM module validation mechanism
  • Writing edge case module
  • WAT, WAST & WASM grammar generation
  • Web-Browsers vulnerabilities analysis (CVEs PoC)
  • WebAssembly JS APIs generation
  • Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
  • WebAssembly for Security Researcher
  • In-memory fuzzing everything using WebAssembly & Frida
I hope you will enjoy and learn a lot !!!

Testimonials

Learned a lot from the training. If you interested in auditing wasm modules, this is the course for you!
Anonymous
A very well designed training with tons to learn. Most importantly the guidance and workflow from Patrick makes this training a must have when entering the Wasm space.
Georgios.D
The training was enjoyable and informative
Anonymous
Great training, covering a lot of information from beginner level and then building up slowly up to advanced stuff. It was interesting to see that old problems such as buffer overflows, format strings etc. become relevant again with web assembly. Although there was a lot of new stuff for me, (I didn't know anything about wasm before) I wish the training went even more in-depth in the last topic - fuzzing.
Adrian.T

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, fuzzing, reverse engineering and program analysis. 

Patrick found hundreds of bugs using fuzzing and developed both open-source security tools Octopus and WARF.

Patrick is a regular speaker and trainer at various security conferences around the globe, including REcon, RingZer0, ToorCon, hack.lu, NorthSec, SSTIC, FIRST, Microsoft DCC, BlackAlps, etc.