Research On Security Features From High-level Language Programs To Web Assembly

Web Assembly is a novel low-level language,binary instruction format,and compilation target that runs in web browsers or other forms of Java Script virtual machines.It aims to provide fast,efficient,and near-native performance for web applications.Developers can use high-level languages such as C++ and Rust to write more complex web programs and then compile them to Web Assembly targets.Web Assembly security mainly comes from the Java Script security sandbox and runs code safely and reliably on browsers and other platforms through strict code,data,and control flow separation,as well as enforced type checking.However,these security measures cannot completely mitigate vulnerabilities from unsafe languages,which can be transferred to Web Assembly programs after compilation.In addition,due to the limitations of the instruction set and virtual machine,Web Assembly cannot fully support the security features of high-level programming languages,and the lack of security features exposes new vulnerabilities in programs compiled to Web Assembly,providing new ways for attacking web applications.To explore the similarities and differences in the support of security features between Web Assembly and other high-level languages,this paper collected relevant vulnerabilities in the real world.Based on the different techniques used in exploiting vulnerabilities,they classified them into five security features: boundary checks,type checks,lifecycle checks,control flow protection,and thread safety.They then compared the support of Web Assembly and these highlevel languages for these security features and their defense capabilities against related vulnerabilities,using four languages(C,C++,Golang,and Rust)as comparative objects.This paper prepared three cases that explained how vulnerabilities in high-level languages can be ported to Web Assembly and the new risks introduced by the lack of security features in Web Assembly.To measure the extent of the differences in security features between Web Assembly and highlevel languages and the impact on real-world programs,this paper designed and implemented a Web Assembly program automation vulnerability detection system based on selective symbolic execution called ”Wannassem”.Wannassem implemented a minimal viable Web Assembly interpreter for mixed execution and extended its lifecycle maintenance capabilities.Wannassem designed seven types of security constraint conditions for Web Assembly’s missing security features and proposed a method for completing boundary checks based on lifecycle checks.This paper evaluated the performance and detection effectiveness of Wannassem on a public dataset.Among a total of 8461 samples,Wannassem had better performance advantages when processing large file samples compared to similar solutions,with a lower total processing time.Wannassem found that about 20.82% of the samples had vulnerabilities,with the most vulnerabilities caused by the lack of boundary check features,accounting for 66.78% of the vulnerable samples.The experimental results showed that relying solely on the Java Script security sandbox is insufficient to ensure the security of Web Assembly programs,and the developer community still needs to provide more comprehensive security features for it.