WebAssembly: A New World of Native Exploits on the Browser

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

before we get started if everybody could please raise your hand either hand works all right come on let's go all right so anyone who didn't follow the seeding instructions please lower your hand all right all right still looking pretty even I would say between people who know web and people who know native so that means as we go through this yeah put your hands down please we'll probably give a little bit of remedial education on both sides of the house just so people who only know web aren't lost when we're talking about see stuff people will only know see aren't lost when they're talking about web stuff so I apologize if any of this is review for you all right so I'm Justin this is Tyler we're here to talk about web assembly so our talk today is not about how to like break out of the browser and web assembly or use web assembly type bugs to end up exploiting things in the browser that talk was Natalie's talk and if you're interested in that you should go see it three hours ago it was a really great talk and maybe you can catch the recording of it later but we're only going to talk about the application security side of that so if you are a web developer who is trying to implement some new web assembly things into your existing web site what kinds of security problems could you cause and you need to worry about as an attacker when you're looking at a web page that includes web assembly what can we use that for from an attack perspective so that's what we're looking at in this talk so in order to do that we have to talk about how web assembly works and some other kind of introductory tooling stuff so you can understand later on when we go into the different exploits what's actually happening under the hood so if you saw a Natalie's talk this morning that part will be review but then the other stuff should be pretty fresh at the same time so in short what wasum does is it allows you to take code written something else we're gonna only talk about C code here but you could do anything compile it and then take that binary and run it in your browser what that gives you for one you didn't have to rewrite that code in JavaScript and two it's much faster than new the same thing in JavaScript so you can see here web assembly on the Left getting 30 frames per second at face recognition JavaScript on the right getting 2 frames per second so much faster there's a lot of different things that it's being used for right now I'm only going to highlight a couple of these right now the archive.org has this really cool thing where you can go play old console games and old arcade games on their web page they do this by they didn't like a rewrite and assembler or re-implement the games in JavaScript instead they used web assembly to compile an existing emulator that already knew how to emulate those games throw a little bit of wrapper code around it probably more than a little bit to handle the display and control some such and then they can run all these games that already had previous emulators other thing here that's going to be interesting to this audience is there already been scene crypto miners in the wild that have been using webassembly because it's much faster so you can mine more coins webassembly isn't just about the web though there's lots of really crazy things that are kind of up and coming everything on this is kind of very early stages or experimental but it's important that you know that there's a lot more that's going to be happening soon so brow 6 is essentially implementing all of classics in web assembly so if you had a Linux program you would be able to run it in web assembly and have all the things like files and stuff work in the browser jeaious Linux takes that one step further and actually emulates an entire operating system in the browser so if you want to run a copy of a recent Linux or something like Windows 2000 you can run it in your browser and it runs all with wasm runtime j/s going in a different direction is a microkernel so the idea is instead of running a whole OS somewhere you would just run this thing and all it has in it is node and wasm so then you know you can drop the whole OS and just concentrate on running stuff but that also means that it's all running and ring zero right because it's all its own curl nebula is very similar except without the node so we're just going to run wasm straight-up ring zero as its own kernel service is very interesting so instead of trying to start a new OS they're going to allow you to run web assembly things that hook into your Linux kernel so then you can directly access memory and stuff in there that's very fast sounds like a great idea mmm crane lift is actually going in Reverse so you can take a Wazz 'im program the compiled binary and then turn around and turn it into a real machine binary that would run on like x86 or arm and lastly in probably the most useful of all of these is V wasm so aetherium is a cryptocurrency that has its own language and so the idea is that you can compile things with this language and then they run on the blockchain with all the stuff it's pretty interesting except that solidity is terrible and the EVM is terrible so they're working on switching it to running wasm instead so then you can write your your smart contracts in whatever language you want and then they run in wasm on the blockchain cool stuff so any of you who have been around computing since about 2001 or so may remember that we used to claim that like there's these cool things called Java applets and they're sandbox and they run in the virtual machine and they run in your browser you can write them one so you can run them anywhere and you can put them in other things besides browsers like this is all the stuff that a Java applet claimed to do 20 years ago and now we're doing it again I really wonder if there was an folks knew that they were reimplemented stuff or if they are surprised that this is actually happening all right onto what web assembly actually is it really probably should have been called something else like web bytecode or something there's a virtual machine so don't think about like VMware more like a JVM so a special purpose machine that doesn't really exist but we're gonna emulate that machine and it has a very specific set of instructions it's a very small set and then there's a binary format that's the instructions for this machine are in and we have compilers that can compile it can target that new virtual machine so then you can have code that was written in other things and compile it to webassembly where it will run way faster than javascript it's already in pretty much every browser that people use on a regular basis but as we talked about earlier there's no reason we can't take wisdom and put it in other things as well let's talk a little bit about the mechanics of wasm so we have instructions they live in their own spot these are the machine code essentially for wasm and the machine that runs wasm doesn't have any registers so instead of registers we have the stack you don't think of the C stack that's totally separate and has to happen later this is the stack within web assembly and it replaces registers so the idea is that every operation will push or pop its values to from the stack here's a very simple example so first line it module means this is a program and the next line line - we are declaring a function called add we give it two parameters x and y and we're saying it's going to return a value all those are 32-bit in the line three we say get local X what that does is take the value of X and push it onto the stack get local Y push it onto the stack and then I 32 ad is gonna pop two values from the stack because add pop you know add takes two operands and then push back the the value of that addition onto the stack and the last line here is export what that means is that this add function will now be available to whatever it is that's embedding your your wasm system so in most cases your browser or JavaScript and web assembly doesn't have access to your computer's memory it has its own memory that gets emulated this is called linear memory it's just in its it's hosting could implement this however it wants but from web assemblies point of view it's an array of bytes integers whatever you want and it can put things in there and take them out in random access that's all I can do with it there's no way that you can see the real address that something's living in from the webassembly side you just know about the the values that are there in their indexes in that array everything in there is untight so the other piece of the puzzle here there's a few things that maybe will become clear if you're well into the sea world for starters since webassembly runs in its own space so it's not like say x86 and arm where your instructions are interleaved with your data in the means in the machines memory instead as a separate Bank of memory for instructions and a separate Bank of memory for memory of reading data so there's no way that we can have like a pointer that goes to an instruction but we write C programs like that all the time and so we need a way to implement that in webassembly they didn't made this thing called a function table so all a function table is is you can declare hey I'm gonna want an indirect call to a function somewhere and then that goes in the table the table just has numerical indexes and then later on you can say okay I want to jump to function number decide to set run time and then later it goes look set up and does that let's take a look at that in code and if you can't read this in the back I'm gonna walk through it not necessarily you don't need to really understand this to get to the rest of our talk but it is important so again we have a module we're going to declare a type of type function with a result so what we've done here is we've said we're going to have function pointers and they are going to return and answer they're not gonna have any other parameters then we're going to make this table table to any function says we're gonna make a table that has size two and an element F 1 and F 2 on line four says we're going to add two new entries to this table they're called F 1 and F 2 on line 6 we're going to declare what F 1 actually is and note that it has the same signature that we talked about before it turns an end that's all it does in this case we're just returning a number same with f2 here we're gonna actually call something so this is a function we are taking one parameter and returning one thing and in here we're gonna say get local I so get the value of the parameter pushes on the stack and then call indirect some type so now calling direct is gonna pop the thing off the stack that we just pushed which is the value in the parameter and then it's going to go look up in the function table where which function is that and then go and actually call it so just another way to show that so when you use calling direct it's gonna pull something off the stack go look up the add the value in the stack of the function table the function table knows the address of the actual thing that's going to call and that's what makes the call so everything we've talked about before this has just been about wazzing we haven't talked about the browser at all so we need to talk a little bit about what weighs amines while it's living in the browser wasm can't talk to the dom plasm can't read your memory it can't write to the screen it can't do anything on its own can't it's totally sandbox off from all that stuff if you want wasm to do anything other than spin your cpu you have to declare some imports or some exports you can the most obvious example this is functions so we declared export for the add function and then that meant that javascript could call that add function and it would run the wasm and then return the value back to javascript you can also import an export the memory javascript is able to to look at the linear memory and you can also share that Leonard linear memory across multiple running instances of wasm if you want to and the tables can also be shared across multiple instances of Azzam if you want to this means that you can do things like kind of a multi-threading thing where you've got a web worker running something and another web worker running another thing they can share memory if you need to they can share libraries if you need to by by sharing a function table so on in script in is I guess a tool chain or an SDK and it's point is to create waves and binaries for you out of other things and we're going to talk about C and C++ it's built on LLVM and clang it includes all your expected built in c libraries and it also makes it really easy to integrate your wasm that you've just produced into a webpage by automatically generating javascript and HTML for you that will handle the glue code that helps the the two pieces communicate there's a whole bunch of other things in this script and ads as well but the only things that we're going to talk about here are these two things called EMA SM and in script and run script those are both two different ways they're slightly different but the idea is that you can use those to run arbitrary JavaScript from inside wasm that's going to be really important later for some of the tricks we're going to do if you want to know more about in scripting Azzam since Natalie's talk is over and you can't go see that anymore you can go read the spec you could also this PDF here is does a really good job of like if you're a reverser and you want to know like the nuts and bolts of how the binary format works it does a great job of running through what a webassembly binary looks like and how it all works I wish I had that PDF before we started doing this research so we're gonna talk about old exploits and I have a lot of choice vintage well-tested memes to go along with these slides so we think that a format string attack will work just fine for the web people who don't know see I have to cover what a formatting attack is so there are a family of functions in C that take a format specifier where you can say okay I'm gonna have some values of some variables that go into the string and then the values get filled in at runtime the way that it works if the user can control this format specifier then the user could add in extra lookups for variables that didn't actually exist and because C loves to let you shoot yourself in the foot it just starts popping new things off the stack and putting them in the string there's also a way to write things to things because they added this percent and that lets you write so essentially what it means is if there's a user that can put in that can taint the value of the format screen specifier then they can arbitrarily read an arbitrarily right for the most part go back one we don't have a POC for this yet so you can tell me to get out later but we think that this will work integer overflows overflows are present in a lot of languages but for people who haven't heard of them if you have an integer it has a maximum value in any any programming language so if you do an operation that would cause the value stored in that integer to be higher than what the maximum value was supposed to be then it rolls around to the back again so if it's a signed type then you you end up the negative numbers if it's unsigned and you end up in a low value this is important for one because you might be if this was a value that was like your bank account you can flip it over or you know withdraw something that you shouldn't been able to do things like that but also it's a gateway sometimes to buffer overflow exploits because you can change the expected value of how long an array was supposed to be before it gets created things like that so just in this deplane sea world wasm isn't doing anything to defend you against these so if you just have a straight-up c integer overflow it's still going to work fine the interesting part here is that now we're throwing in wasm and javascript into the mix and they all have their own integer types with their own maximum values and everyone's different so I'm not going to list off all the different types and see there's a ton while some have in 32 and 64 float 32 and vote 64 javascript has two the 53 minus one so what that means is if we're sending a value from JavaScript to wasm the Weizmann value was declared as a 32-bit value but the JavaScript that we send is say two to the forty then what we've just sent in already overflowed before we even started the C and so then you know there's going to be a problem there we had a demo of this but it was boring so we didn't put it in you could also overflow in the other direction so if the the wasum was too big for what we returned back to Java then you could have the same problem once it gets back to the JavaScript but for overflows so again for people who are web people a buffer overflow happens because C doesn't check the bounds of memory when you have an array and so if you tell it to write more things than there is space in the array it just keeps writing through into other things in memory this still happens perfectly fine in wisdom you're not writing in kind of regular memory you're overriding things in that linear memory so whatever was in there we can continue to overwrite the kind of simple case for this is if there's a value of memory that you wanted to change because it means something important in the context of the application so there's something like a privilege level your account balance or whatever if we can find a way to overflow into those then we can change those values which is useful the other thing that these normally are used for in C is to run arbitrary code now running arbitrary code and lazarum is much harder because we don't have these function pointers and return pointers and all these other things that we can try to override and then put our code furthermore we can only do this in linear memory which is never executable so we can't like write some executable code and then jump to it so we need some other things to do we'll talk about that later if you try to go past the bounds of linear memory like in to something else that the browser would have it's supposed to give an error I think Natalie's talk talked about a few cases where that wasn't actually the case in a browser implementation but from a generalized perspective it's supposed to work fine with all that being said there are still some interesting things we can do with buffer overflows that get us some interesting kinds of code execution we'll talk about that in a minute okay I have a pretty simple demo here which is an end of the most basic type of buffer overflow so here on line 6 we're using this a.m. underscore J s which we talked about earlier and this is allowing us to actually define JavaScript inside of our native code so here you can see that we're we're creating a function called overflow alert and we're saying that it's void it takes no parameters and that it just creates an alert box that says overflow and then here in our main function we've got two buffers one is ABC one is once three and then here we've got a string copy when we're putting way too many bees into this bought one and then if then we're going to check the value of both zero so if both zero is ABC then this string compare is going to return zero and nothing is going to happen if there is an overflow and it's not ABC anymore then the string a pair is going to return some value and if it does then we're gonna get this overflow alert box so if we see the overflow alert box that notifies us that there was an overflow so I can go into my virtual machine and our gonna use em script ins e/m run which allows us to just sort of like it's kind of for like testing code you can it's a basic web server kind of a thing and we can just run our boss zero dot HTML file which we compiled with um script in and see if we get our alert box and we got it overflow all right so there are way too many different types of bugs and see for us to cover all of them we'll just briefly cover the rest of the existing sea bugs and kind of give us give you our take on whether we think they're gonna be useful or not from an attackers perspective so talk to race conditions that stuff should all be just as before with the caveat that threading is not very mature in wasum yet same story with timing inside channels we think that heat based arbitrary writes will also work in the context of linear memory we don't have a PSC for that either things that won't work are your classic buffer overflow where you jump back to the code you put in things like rock won't work because we can't arbitrarily jump to places in memory and as it's supposed to work you shouldn't be getting any information from the browser for example when you declare your memory it's supposed to be all zeroed out when it gets to Assam so you can't expect to you know lead on initialize memory and get something interesting there onto the new exploits and Tyler assures me that all the memes we have here are really fresh and everyone in the 15 to 25 demographic will get it off to XSS so let's talk about XSS for a minute since we gave the all the web people that remedial see stuff we have to do the other way to XSS means that we're running arbitrary JavaScript in the content in the context of a webpage now if you're not that familiar with web stuff you might think oh big deal I made a pop-up or old big deal I can steal a session token' those things are things you can do but what XSS really means you can do is you can control everything that that user could have done and a lot of things that maybe they didn't even know they could do in the context of that website where you got XSS so if it's a bank and I get XSS I could use all the functions to transfer money out if it's a social media account and I get XSS I could post social media stuff on your behalf I could change your password etc etc so XSS is a real thing and in the webassembly world that's actually even more important because the javascript has the ability to read the linear memory that it's allocated it has the ability to start and stop as Amit has the ability to modify wasm code I don't think you can modify it when it's running but you could stop it and then restart it with your new modified version so you should never consider that code that's running in wasum is somehow protected from the browser if someone has XSS they'll be able to do anything they want to the one that's running in addition to anything they want to the rest of that site No let's go back so now that we know what XSS is let's come back to what it means to do buffer overflow here so if there is an array that is written to the Dom and we have an overflow somewhere and we can overflow the value that would have been written to the Dom then we have xs/s pretty much all there is to it we used to be our first demo of this stopped working like halfway through our research and we were really worried but it was because we were overflowing a literal which normally is really hard to do and they moved we're literals go in an updated version of the script and I think to go below us in the stack and so we couldn't overflow it because we can over only overflow up other interesting thing here is that your typical way to find XSS is to look for reflection so I put in an input in some webpage and then I look to see if that gets reflected that same input that I put in comes out somewhere else and then I can try to see if I can manipulate that to run JavaScript we can do XSS without any reflection here because we're actually putting in a value somewhere over here using it to overflow something that shouldn't have been over shouldn't have been writable by the user and then that's what actually causes the XSS okay so I have another another example here for how we can use this buffer overflow the XSS concepts so for this for this example we have this ba function which the extern keyword is going to let us call it from JavaScript and this function is going to take two parameters it's gonna take p1 and p2 both of which are just character pointers your character is and we've got two character arrays both 1 and both 2 both of which are 16 bytes long and then we've got to unsafe string copies from p1 at the path 1 ptoo in the bath - and then here we're using this EMAS em again where basically we're just getting this element by ID we're getting an element called SS X and we're setting the innerhtml to this pointer stringify function the pointer stringify is going to take like an index into linear memory and it's basically going to turn that into a string and it takes these two parameters 0 1 1 which are defined here which is both 1 and the length of both 1 so essentially what we're doing is we're taking p1 copying it to both 1 and then we're taking pop one and we're printing that directly to the dom and here in my example page yeah so here's what the the code is gonna look like from the JavaScript side of things and the reason why this can be especially dangerous this you are calling our Bob function and here we've got a static string which we're passing in as p1 and some user-defined string as p2 and a developer is thinking to themselves I'm putting a static string in here it's totally safe I don't have to do any kind of encoding I don't have to do any kind of sanitization I wrote that string I know what it's going to be but because there's an overflow in the code we can take this string with user input so we can see here when we smash our like button we see our static string is written to the Dom we can put in a couple of days and nothing happens we can put in the cup of Morris and we can see that now we're actually starting to write user input over to the Dom and now we can go to the end of our thing and we can try to make some kind of a XSS payload see if I can do this right without messing up and we got Xbox all right so that's kind of basic still cool but not that technically interesting we know we can overflow values the reason we went over a bunch of details about how function pointers work is because we can do some interesting things there too so we know that function pointers in Wazza mark really pointers they're integers to this table that does the lookup and we know that when we use the calling direct stuff to execute a function pointer the that's going to pull it a variable get the value go look up from the table what to call and then call it now we've just shown you that we can modify what's in a variable view and overflow so you should be able to guess what comes next in scripting when it adds things that you're using it puts them in the function table so if you used in script and run script in your program for some benign purpose it's going to be in that table so we can call it dynamically as well it has a signature it returns nothing and it takes that's supposed to be Const car but keep in mind that this is wasum and wasum only has four types so really that's integer so and then when it takes whatever string is pointed to by that and executes it so if we can find a way to pass whatever we want to this function then we win we get XSS again in order for this to work there's a few things that have to hold so it has to be used in script and run script has to be already in the program that we're wanting to to attack that means it's in the function table there has to be a function pointer somewhere else in the program that has the same signature as on script and run script so returns nothing takes one in parameter and we have to be able to somehow overwrite that function pointer we're gonna show you about for overflow any other trick you've got that can arbitrary arbitrarily rewrite some value will work okay so here we have another example of yeah it's a good meme right we have another example for our overflow this look okay yeah this looks pretty good okay so the the scenario here is we've got some kind of a file processor which is going to take a file and it's going to run some kind of a processing algorithm on it so we have this file processor struct and the struct is going to have a character array of 64 bytes and that's gonna represent the file that we're uploading it's got a file length and then it's got a function pointer for the processing algorithm because you know say there's a couple of different processing algorithms that we might want to try to run and so this is going to let you dynamically choose between which processing algorithm you want here we have our trigger function which is just going to call the processing algorithm and it's going to pass the file to it so it's just gonna call that function pointer and here we have our machine learning blockchain processing algorithm the next iteration is going to be IOT it's a pretty cool start if you guys should check it out yeah and so here in our in our function that we're exporting the overflow we're declaring a file processor we're setting the algorithm to our machine learning blockchain algorithm and then here we're doing a mem copy from the payload which is just the parameter to this function into the file and then as you can see we're mem copying 88 bytes whereas the file is only 64 bytes so this is a pretty classic buffer overflow and then here this is important we have in script and run scripts which is in this case it's just saying that oh there's some kind of a log which is saying congratulations you uploaded the file correctly but this has to be in here because this is putting it in the function table and then finally we're just going to call our trigger on the function pointer so we have a payload which we're going to this is the file that we're going to upload so we're going to have alert XSS and then we're gonna be filling in some some spaces just to fill out the rest of the 64 bytes and then here we're filling out the rest of the struct we're filling out four which is going to be the file length we're filling out this is the integer five now as Justin may have mentioned earlier the file the the indexes in the function table are constants not just across execution all right but across compliation so I've compiled this on three different machines and every time the index of em script and run script is index five so five is the index of M script and run scripts and so hopefully the our function pointer over right instead of calling the machine learning algorithm that we wanted it's going to call it scooped and run script and it's going to pass a load to it so here we have another example where we can choose our file and that one cross your fingers for the demo gods and we got excess blocks so more details about this there's no reason we have to go for the xs/s here we could instead have used this to call some other function that was important with values that we wanted so if there was a function to change my password or something like that we could call that and then give it the values we wanted to then do what we wanted it to do we can do this to anything that is in the function table and is you know has the right signature that is something we can overflow to so jonathan foot if you're in here raise your hand no okay so he made a blog post he works for fastly that talks about some very similar techniques he was doing instead of using buffer overflows to make his overrides he was doing it via like type confusion or deserialization type bugs but it's the same endpoint so he's using those kinds of tricks to end up with a function pointer that calls something he wanted to call instead of what the program was originally gonna call looked like he was doing it about the same time as we were so I know that all you see people don't care about XSS even though I tried to explain how important it is so we had to give you some RC here right so if the server is running node and you do the exact same thing we just showed you then what is XSS mean and node it means RCE so we should be able to run whatever we want on the server if we have the same policy in place alright last example it's the exact same file processing that we have before only now this the the payload is slightly different instead of an XSS payload now requiring we're requiring a child process and we're going to be executing some application of our choice and the rest of it is identical so we're gonna go over to my virtual machine here see you got this one this one and we're gonna just run our node server go back over here hopefully this is still the same IP address nope let me try and come in together there we go okay so here's a file upload so we're gonna choose a file but now we're we're not just running this locally in the browser we're loading this to node and nodes going to run it upload a file and demo gods we're not kind to us gonna try this one more time if this is work I have a recording of it working this one yeah all right so now you guys have seen some cool bugs let's talk about what we can do about it so one thing we can think about is are there things that in script and could add to make everything more safe so there are things that are kind of out of their scope so for example it's not doesn't really make sense for them to look at things like NX and stack Canaries and things like that even though those are valid see mitigations they don't really apply in the Western world because the code and the data are already not interleaved some protections they could add something like address space randomization so when we put things in the function table the order that they are in there is determined at compile time which is bad from its curve perspective because it means that your exploit will always work except when it doesn't like but it should always work so there is no reason they couldn't make it so those values there was a much larger set of values to choose from and they are randomly determined at runtime then you wouldn't be as easily able to mess with function pointers in the way that we're showing it would be nice to also have some library hardening I don't know that anyone uses percent and in format strings anymore it looked like the heap implementation that's being used is kind of an older heap that doesn't have a lot of keep mitigations in place so there's some improvements that could be made in inscripted things that work really well control flow integrity so if you're not familiar with control flow integrity there's a switch you can I think it's clang or LLVM not sure where it happens but you can turn it on in there at compile time and what's going to happen is it kind of generates a mapping of all of the possible flow States between different functions in the program so these are all the things that could ever happen and then if at runtime you are off the map it just crashes so if you turn that on our function pointer tricks won't work anymore [Music] the other thing that's effective here already is the way that wasm works to not allow us to jump into arbitrary things it means that there's no way to do something like Rob the best we can do is call individual functions one at a time so we spent a lot of time researching this and then found that buried on the security page of the web assembly design specification in the third paragraph in the fourth section like they talked about oh and by the way we probably didn't protect against this and this and this and this of this almost everything we just talked about in this talk the web assembly people did talk about and say yeah we probably didn't defend against these it would be nice if they made this much more obvious instead of a buried paragraph that's so long and wordy like a nice bulleted list of you still need to fix all of these kinds of C issues this is so I'd love to see them fix that if you're an application developer and you want to try to make your code safe the first step if you cannot use in script in run script you will be much better off if you have to use it you have to use it but just like any language where you have something that's like eval like you want to avoid that if at all possible even if as we've shown even if you don't have a user tainted way to get into it if there's an overflow we can still call it if you don't use it in your code we can't call it and so then it's not useful as attackers the optimizer so sometimes when we would do things they wouldn't work and why did my demo stop working oh we compiled it with the optimizer turned on which changed the way everything worked in in some cases it removes functions or in lines number I don't even know what's going on but there's a lot of times when we turn the optimizer on all the way some of our stuff doesn't work anymore so turn on the optimizer it's not on by default but use it when you compile control flow integrity we talked about how that works there's a performance penalty when you turn that on but depending on what you're doing maybe you can handle that maybe you can't but at the end of the day even if you do all those things there's still plenty of sea bugs that are going to work just fine on your web assembly code so you still have to fix those things as an attacker if you find one of these and you want to do something interesting we'll look forward script and run script cuz that's where you're gonna have the most fun if you don't see that you can use overflows you can use other things that allow you to write arbitrarily to over right values and in the function pointers cases you can overwrite interesting things there if you get XSS you can turn back around and modify what the wagons gonna be and even if there's no XSS because they didn't use encrypt and run script for example then you should still be able to modify things in memory that are useful to you and then if you're talking about node then all these tricks turn into RCE we have a whitepaper security chasman Azzam went in my Brian Tyler Jeff and myself blackhat site has kind of the version 0.9 we have a couple more things we want to finish and when we do we'll put that on the NCC website so I'm Justin this is Tyler thank you for coming if you enjoyed our talk please fill out the survey if you didn't employ enjoy a talk please don't fill out survey our speaker liaison has told us that we don't have to go to the Rapp room because it's lunchtime so we can just take questions here until we're done questions yes yeah sure so if I wanted to debug an x86 program I'd use like all of your eider or something but would I use for web assembly there's actually really good debugger support in browsers now so both Chrome and Firefox if you go into developer mode sorry repeat the question you wanted to know how to debug this stuff if you go into developer mode you can actually see all of the web assembly instructions in S format which is what we were showing a mess and you can like step through you can set breakpoints all that stuff in chrome you can actually see the values that are on the stack at any given time it's pretty cool works really well thank you yeah what would you want people implementing other programming languages on top of web assembly to know or do you think of that I could only hear half of that a little louder sorry what would you want other people implementing other programming languages than C on top of web is holy what would you want them to know or include okay so if your if your language is already memory safe then we've like a lot of the things that we talked about aren't really going to apply you need to think about all the existing known vulnerabilities in the language that you have in its kind of base form and then for each one just think about how does this apply to the architecture of web assembly is there something about web assembly that makes these vulnerabilities not work anymore is there something that makes them more prevalent because of whatever is going on I think things like the serialization will probably still be an issue I don't know if there's something as a language developer you can do about that but it'll be interesting to think about it's not something I've thought about yet Thanks Thanks yeah I I'm totally missed during your demo when you're uploading the file are you just reading the file contents into that proper yeah we were copying the file contents what they do it into a string yeah after we're done up here if you want to see the code we can just show you thank you hi great talk maybe I missed it though a little louder no maybe I missed it yeah but what happens when you go pass the local variables like what do you overwrite an in your memory or can you can you even do that so the locals can be overwritten I think I can't remember how well it depends on the compiler so each one is gonna be a little bit different in how they implement the various like data structures and stuff and see but there are other things like outside of your local variables that could be potential targets depending on the the compiler yeah so like we mentioned we earlier we were able to overwrite literals which normally like in other languages usually you can't do that because there's somewhere else right but because of the way they was laid out at that time it was working because we could go find it now it doesn't work so a good place for you to start would be to look at that PDF that we linked because that lays out they have the entire file format as it exists currently and like where the different sections are and how they work so that would be a good place to think about that but at the end of the day a lot of that stuff is only in the web assembly instructions section and so you can't get to it from linear memory because lean memory is the only thing we could overflow so I wish I had a better answer for you but the answer is one it depends - it's probably gonna change and three there could still be interesting things like that we don't know yet right so does that also mean that there's a point in having some kind of stack Qunari equivalent potentially as in you know you would want to have boundaries between your various linear memory pieces or sections yeah maybe I don't know how hard that would be for them to do but yeah there's maybe you also have to keep in mind that we're doing web assemblies supposed to be really general and so maybe something we do for that works well and see but then it's gonna make it harder for them to do things about the languages so thanks all right no other questions thanks sweet thanks guys appreciate it [Applause] [Music]

Info

Channel: Black Hat

Views: 4,057

Rating: 4.8130841 out of 5

Keywords: Black Hat USA 18, Black Hat 2018 Briefings, Black Hat USA 2018, Black Hat Briefings, Black Hat USA, Black Hat Briefings 2018, Black Hat, BlackHat, BlackHatUSA

Id: DFPD9yI-C70

Channel Id: undefined

Length: 45min 20sec (2720 seconds)

Published: Tue Jan 14 2020