3-Day WebAssembly Security Training
Apr 20 - 22 at HITB Amsterdam.
WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web”.
WebAssembly is used everywhere (not exhaustive):
Web-browsers (Desktop & Mobile)
Cryptojacking (Coinhive, Cryptoloot)
Servers (Nodejs, React, Cloudflare workers)
Video games (Unity, UE4)
Blockchain platforms (EOS/Ethereum/Dfinity)
Linux Kernel (Cervus, Nebulet)
This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerabilities & security issues. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using differents fuzzing techniques.
Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.
Introduction to WebAssembly
WebAssembly VM architecture & toolchains
Writing examples in C/C++/Rust
WASM binary format (header, sections, …)
WASM Text Format (wat/wast)
Reversing WebAssembly module
CFG & CallGraph reconstruction
WebAssembly cryptominers analysis
Wasm pattern detection signatures (YARA rules, …)
Debugging WebAssembly module
Taint Tracking & Dynamic Binary Instrumentation (DBI)
Bytecode (De)-Obfuscation techniques
Decompilation & Static Single Assignment (SSA)
Real-life Wasm module analysis
Traps & Exception handling
WebAssembly module validation mechanism
Lifting Wasm bytecode
Basic WebAssembly module vulnerabilities (Integer/Buffer/Heap Overflows)
Advanced vulnerabilities (UaF, TOCTOU, CFI Hijacking, …)
Emscripten vulnerabilities & NodeJS app exploitation
Fuzzing WebAssembly modules
Web-Browsers vulnerabilities analysis (CVEs PoC)
Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
Wat, Wast & Wasm grammar generation
Fuzzing C/C++/Rust/Go based Wasm projects
Basic reverse engineering skills.
Familiarity with scripting languages (Python, Bash, …).
Familiarity with C/C++ or Rust programming.
A notebook capable of running virtual machines.
Enough hard disk space to run VM
Virtual machine (VirtualBox preferred)
Administrator / root access required.
IDA PRO helpful, but not required.
We offer the world’s first WebAssembly security training. Our onsite trainings start at just 5 participants. We recommend 4 or 5 day formats to our customers. Customization of the training (like blockchain smart contract focused) is possible, but subject to an extra fee for the additional effort.
Check out the complete training content we can offer.