Buzz
WebAssembly (WA or Wasm) is a cutting-edge technology introduced last year and is currently supported on all major browsers, including Chrome, Edge, Firefox, and Safari.
In simple terms, WebAssembly is a binary code compiler integrated into web browsers to compile and enable software to run within the browser.
Changes in WebAssembly may slightly mitigate the impact of Meltdown and Spectre attacks
Browser developers crafted WebAssembly to enhance the distribution speed and performance of JavaScript code. It also provides a way for developers to compile code from higher-level languages like C, C++, and others to Wasm, enabling it to run in browsers.
WebAssembly also introduces unintended consequences
Similar to other technologies, WebAssembly has its limitations and is not completely immune to abuse. Detecting cryptocurrency miners on browsers (cryptojacking scripts) can be achieved by integrating WebAssembly in major browsers, as all in-browser miners operate on WebAssembly, not pure JavaScript.
Additionally, Forcepoint researchers suggest that WebAssembly may unintentionally impact web users.
Bergbom explains that when Wasm supports threads with shared memory, timed [JavaScript] triggers can be generated, potentially mitigating the impact of side-channel attacks on CPU.
WebAssembly could slightly alleviate the impact of Meltdown and Spectre attacks
To be more precise, Bergbom refers to real-time side-channel attacks.
Real-time side-channel attacks constitute a class of encryption attacks, allowing third-party observers to deduce the content of encrypted data by recording and analyzing the timing of encryption algorithms.
Recent disclosures of Meltdown and Spectre CPU vulnerabilities, along with variants [1, 2, 3], involve real-time side-channel attacks on CPU cores.
Explore how to check if your computer is affected by Spectre and Meltdown vulnerabilities
These attacks rely on the attacker's ability to measure precise timing, the necessary parameters for executing side-channel attacks, and recovering sufficient information from encrypted data to determine the remaining part.
Browser developers addressed this issue back in January
Meltdown and Spectre vulnerabilities emerged in January this year, accompanied by researchers disclosing proof-of-concept code that attackers could use to exploit CPU vulnerabilities remotely over the Internet using JavaScript code running in the browser.
This attack code leverages critical browser functions to measure timing, such as 'SharedArrayBuffer' and 'performance.now ()'.
To mitigate the impact of attacks, browser developers like Firefox and Chrome have released updates that reduce the precision of timing functions, displaying Meltdown and Spectre attacks and other real-time side-channel attacks. However, the effectiveness is not as desired.
According to Bergbom, limiting support for added threads in WebAssembly will slightly reduce the impact of cyber attacks.
However, the researcher also emphasizes that developers need to consider potential security issues. Similar to JavaScript, the capabilities of Wasm are limitless.
Preventing potential attacks requires browser developers to adopt a similar approach by restricting support for upcoming threads in WebAssembly, hindering attackers from creating precise timing mechanisms.
According to a recent report from the security company Appthority, thousands of Android and iOS apps have leaked sensitive data, exposing user information such as passwords, GPS locations, Facebook tokens, etc., to malicious actors.
