First of all, Happy new hacking year everyone 😉
Just a quick reminder before we start, if you are interested about WebAssembly security and fuzzing WebAssembly Browsers/VMs, my next publics trainings will be in:
1. WebAssembly & Web-Browser CVEs
As you can see on caniuse.com, in January 2020, around 88% of all internet users can run WebAssembly modules on their browsers.
If you want to discover more about existing WebAssembly browser CVEs, take a look at those links:
3. Create Dharma/Domato WebAssembly APIs grammars
Personally, I prefer the grammar syntax of Dharma but if you are a Domato adept, converting the following grammar to Domato shouldn’t be difficult 😉
The most time consuming part is to read all the specification and/or APIs descriptions in order to create valid wasm objects and methods calls. I will not detailed Dharma grammar syntax in this blogpost but you can find a complete grammar cheatsheet on the official github repository of Dharma. Once your grammar seems acceptable, you can generate multiple files using this command:
dharma -grammars dharma/wasm.dg -count 100 -format js -seed 1337 -storage output_folder
I just published a simple WebAssembly grammar in this github repository if you need something to start 😉 I also invited you to read the following blogposts to discover how other researchers are using Dharma or Domato 😉
- Vulnerability Discovery Against Apple Safari by ret2systems – link
- Implementing fuzz logics with dharma by Mat Powell – link
- Domato Fuzzer’s Generation Engine Internals by Jaewon Min – link
- Fuzzing PHP with Domato by Andrew Kramer – link
- Using dharma to rediscover node.js out-of-band write in utf8 decoder by NibbleSecurity – link
In this blogpost, I will only target Chrome/V8 because it’s the best way for you (readers) to reproduce blogpost’s steps at home without spending hours in compilation/debugging. Just a quick reminder, AddressSanitizer (ASan) is a memory error detector based on compiler instrumentation (LLVM) and used to detect multiple kind vulnerabilities (UaF, HBoF, etc.).
Here is the main reasons why I choose Chrome/V8 as a first choice:
- Google provide pre-built Chrome binaries built with AddressSanitizer i.e. no compilation for me today 😉
- One of the binary provided is d8, the V8’s own developer command line shell.
- You can specify to d8 (through cmd line option) if you want to activate under-development WebAssembly features (like anyref, threads, simd, etc.)
- Pre-built are fresh (up to date) and easy to download using Google gsutil tool and the following command.
gsutil cp $(gsutil ls "gs://chromium-browser-asan/linux-release/asan-linux-release-*.zip" | tail -1) .
5. Fuzzing & monitoring - the lazy way
Last but not least, we need to provide our JS files to d8. An easy way to start can be to create a simple bash script (like this one) that will loop and:
- execute d8 binary for each js file generated by Dharma
- monitor the returned signal value of the program
- store the testcase for analysis if the signal is not null.
Honggfuzz is really easy-to-use and awesome fuzzer developed and maintained by Robert Swiecki from Google. During honggfuzz “dry-run”, all given files will be executed in different threads, monitored for crashes and stored if relevants. That also mean that only using the following command-line, you let honggfuzz handle everything and can go to sleep 😉
honggfuzz -t 5 -n 4 -i input_wasm_js/ -- ./d8 ___FILE___
5. Going deeper & Conclusion
Grammar and script shown in this blogpost are available in this github repository. Final reminder, If you want to learn/discover more about WebAssembly security (both reversing and fuzzing), my next public trainings will be in: