
The Dark Side of WebAssembly (2018) - walterbell
https://www.virusbulletin.com/virusbulletin/2018/10/dark-side-webassembly/
======
dreae
This has to be some of the thinnest gruel I've read in a while. The entire
premise of the article is that the "dark side" of WebAssembly is that
"security" products can't do string matching against compiled code.

Case 1: People can write scams that "security" products can't block because
WebAssembly somewhat obfuscates the code. The comparison to scanning WASM in a
"security" product is like opening an executable in a text editor is
laughable.

Case 2: People can write website keyloggers in WASM and it will be obfuscated
against "security" products. Alternatively the bad guys could just obfuscate
plain old JavaScript, or any number of other techniques to exfiltrate data. If
people are executing malicious WASM on your website you're already owned.

The only one of their points that has any merit is that WASM implementations
increase the attack surface of the browser. This is ostensibly true, as do all
new features. Fortunately the major browser vendors have competent engineers
dedicated to testing their software for vulnerabilities.

~~~
cryptica
I disagree because obfuscated JavaScript would already be suspicious as it is
not that widespread as an industry practice. The standard industry practice
for JS is minification, not obfuscation; so you can still see what functions
are called and any developer can quickly identify if there is a suspicious
looking AJAX request to a strange URL.

With WASM, you can't see anything. It's a complete black box. It's a lot
easier for a hacker to hide stuff from users. It's easier to sneak in
malicious code and it's harder to identify and remove it.

~~~
bexsella
Minification is a form of obfuscation, and a lot of libraries and commonly
used scripts are purposely completely unreadable. show_ads.js, for example, is
nonsense, so it's not unreasonable for a hacker to sneak into ad code, insert
some dubious lines of code that does more or less anything they'd want. There
are easy was to mitigate this for sure, but it doesn't seem that WASM makes
this point worse. Surely you could just as easily spot an AJAX request from a
strange URL while utilising WASM too?

------
aurelian15
As others have pointed out, this article is not very convincing. I don't agree
with the point that WASM is somehow more suitable for nefarious purposes than
obfuscated JavaScript. I suppose that if anything, the execution model of WASM
is much simpler than that of JS and it should thus be much easier to analyse.

> This prevents the user from escaping the scam by pressing keys like ESC or
> the CTRL+ALT+DELETE combination, or others as shown in the table.

The part about CTRL+ALT+DELETE is just nonsense. This key combination is
directly handled by the Windows kernel and cannot be captured by a user space
application. Hence the "Press CTRL+ALT+DELETE to login" prompt. [1]

[1] [https://en.wikipedia.org/wiki/Control-Alt-
Delete#Windows](https://en.wikipedia.org/wiki/Control-Alt-Delete#Windows)

------
IvanK_net
You can make 90% of people afraid of XYZ, if you write a sufficient amount of
text "explaining" how dangerous XYZ is.

~~~
rubbingalcohol
But arguably Webassembly is also dumb and has no reason to exist, so there's
that on top of it being a great way to obfuscate malicious code.

~~~
Pigo
Running Unreal Engine in the browser, in any browser, is pretty cool. I think
there's going to be a lot of interesting use cases for it.

~~~
AnIdiotOnTheNet
Cool? Maybe if one fetishizes overengineering and abstraction layers.

------
swiley
Meh. You can’t use _string search_ to find patterns in wasm files per se. You
can look for byte equivalence in functions (or whatever they’re called in
wasm.) Thinking of wasm as compiles machine code isn’t quite right (IMO) as it
more closely resembles a serialized abstract syntax tree.

------
A4ET8a8uTh0
I dislike webassembly, but I dislike the direction web is going in general.
Everything has to be hidden away from user; you have less and less control
over what is happening unless you take active steps rein it in.

OTOH, I really do not understand why such technology is needed. Mom and pop
store needs smooth unreal engine to show their virtual store?

Can we at least use that technology for something beneficial long term ( say
distributed websites )?

~~~
rvz
> OTOH, I really do not understand why such technology is needed.

Well, let's ask the majority of the W3C Members which are mostly made up of
for-profit companies and most develop closed-software. I can tell you that
they are going to use WebAssembly for whitebox-cryptography due to its black-
box nature of binary code which also introduces it to unwanted DRM features to
limit the functions of content of the end-user.

So we have the hype around WASM making it possible to create binary blobs of
standardised malware working on every browser rather than creating an open
web. Seems like these companies were only cheering this on due to it advancing
the state of DRM which we will also win free malware-enabled WASM too.

Great job guys! One step closer to being worse than Flash.

------
seph-reed
While from a security standpoint, this is kind of silly, I still am not really
a fan of just how far off from the source code WASM is. I don't really like
minified js either... the gains are pretty minor (so much less than proper
tree-shaking) and the only real gain is obfuscation... which is really only a
gain for selfishness.

------
0xdeadbeefbabe
WASM isn't as popular or useful as we hoped it would be at this point, that's
the dark side.

