Vulnerability Analysis of WebAssembly Binaries

Abstract

The evolution of web technologies has brought forth innovative coding structures, among which JavaScript and WebAssembly stand out prominently. This paper presents Wasmosys, a state-of-the-art source code analyzer designed to generate and unify Abstract Syntax Trees (ASTs) for JavaScript and WebAssembly code. It aims to pave the way towards advanced vulnerability detection and mitiga tion in these modern web environments.Wasmosys tackles two major challenges: creating a seamless combination of separate ASTs and standardizing AST labels for JavaScript and WebAssembly. The system comprises four primary modules. The first two modules, written in JavaScript and C respectively, generate ASTs from JavaScript source files and WebAssembly Text (WAT) files. The third mod ule constructs a unified AST from the generated JS and Wasm ASTs, and the fourth module, a connector written in python, links the system with a Neo4j graph database hosted in a Docker container.Despite its capabilities, tested on a limited version of WasmBech, Wasmosys currently presents certain limitations, including the use of AST over Code Property Graphs (CPG), manual AST uni fication, and constraints in the experimental dataset. These limitations serve as insights for future development, hinting at the prospect of an even more robust and accurate tool for JavaScript and WebAssembly code analysis