
Is WebAssembly the New Adobe Flash? - craftoman
As we all know, every Wasm program is considered closed source software just like Adobe Flash apps and for some reasons I&#x27;m getting a little spooky because compared to JavaScript everything looks transparent, even with obfuscated scripts I personally can still understand how everything works and can easily detect malware inside every codebase. Now WebAssembly is like Flash and I think everything will get scarier because you can&#x27;t see what&#x27;s under the hood and many companies and hackers will try to exploit things just like Flash apps and even the most paranoid developer somehow will not detect a hidden malware. Is it just me or dark ages are coming on how we build web applications?<p>Edit: I forgot to mention that 3 of the 4 companies involved are closed source lovers. Don&#x27;t get me wrong, last time I checked Android and Chrome were partially open source and you don&#x27;t have actually full control of everything.
======
afiori
The problem with flash/Java was not that much that the apps were closed
source, but that the interpreter was closed source and buggy.

In particular from an attacker standpoint the attack surface of wasm is the
same (actually smaller) as that of Javascript.

From the point of view of obfuscated code that wasm is worse than javascript,
but I am not so sure that it is so much worse than C compiled to asm.js (that
had to simulate arbitrary pointers anyway)

All in all for now the main malware using wasm are crypto mining bots.

As an update: The problem with closed source on the web is in great part that
SaaS providers can circumvent GPL (which is the reason the AGPL was created)
not particularly the fact Javascript can be obfuscated

~~~
craftoman
Yeah but from a hacker's perspective, isn't Wasm easier to plant a malware
inside a binary file compared to JavaScript? I remember back in the days,
flash was scary because of that and some malware was embedded inside the swf
because analysing was painful.

~~~
afiori
That is a sandbox issue; obfuscating Javascript can get to really advanced
levels.

If I remember correctly Google's reCaptcha work by interpreting encrypted
instructions on an also encrypted interpreters that is Just-In-Time-Decrypted.
Also it is entirely possible (and easy) to fully write an interpreter for wasm
in Javascript. From an explot perspective literally the only thing that wasm
provides is performance (hence the crypto bots).

The reason for vulnerabilities in Flash and Java was that the plugins were
running in a different non-sandboxed (or badly sandboxed) process. The
inability to inspect the Flash/Java binary was only relevant because of the
many many bugs and exploits available in the runtime.

The reason being that both Flash and Java (and every other plugin) provided
functionality completely absent in browsers (one example was the ability to
open system-level network connections), this functionality was not sandboxed
enough.

From a security perspective it was almost close to running `make install`
instead of `ls` on a random project from github.

The reason people are confident in wasm security model is because it is almost
implemented as a Javascript function that just manipulates ArrayBuffers.

There are currently proposals on the way to actually increas the reach of wasm
code and allow a deeper level of interaction with the host environment, but
(with the exception of threads) they all only offer functionality already
exposed to Javascript

~~~
afiori
But to actually answer your question, yes, wasm is easier to obfuscate than
javascript

------
JohnFen
I share your worried about WebAssembly, which is why I won't use it.

