Concolic Execution for WebAssembly

WebAssembly (Wasm) is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed by the browser’s JavaScript engine with near-native speed. Despite its clear performance advantages, Wasm opens up the opportunity for bugs or security vulnerabilities to be introduced into Web programs, as pre-existing issues in programs written in unsafe languages can be transferred down to cross-compiled binaries. The source code of such binaries is frequently unavailable for static analysis, creating the demand for tools that can directly tackle Wasm code. Despite this potentially security-critical situation, there is still a noticeable lack of tool support for analysing Wasm binaries. We present WASP, a symbolic execution engine for testing Wasm modules, which works directly on Wasm code and was built on top of a standard-compliant Wasm reference implementation. WASP was thoroughly evaluated: it was used to symbolically test a generic data-structure library for C and the Amazon Encryption SDK for C, demonstrating that it can find bugs and generate high-coverage testing inputs for real-world C applications; and was further tested against the Test-Comp benchmark, obtaining results comparable to well-established symbolic execution and testing tools for C. Security and privacy Formal methods theory of test for the

[1]  D. Kroening,et al.  CBMC: The C Bounded Model Checker , 2023, ArXiv.

[2]  Michael Pradel,et al.  An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases , 2021, WWW.

[3]  Robert Bruce Findler,et al.  Sound and Complete Concolic Testing for Higher-order Functions , 2021, ESOP.

[4]  Dirk Beyer,et al.  Status Report on Software Testing: Test-Comp 2021 , 2021, FASE.

[5]  Marek Chalupa,et al.  Symbiotic 8: Parallel and Targeted Test Generation , 2021, FASE.

[6]  Lucas C. Cordeiro,et al.  FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs (Competition Contribution) , 2020, FASE.

[7]  Coen De Roover,et al.  Compositional Information Flow Analysis for WebAssembly Programs , 2020, 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[8]  Bo Jiang,et al.  WANA: Symbolic Execution of Wasm Bytecode for Cross-Platform Smart Contract Vulnerability Detection , 2020, ArXiv.

[9]  Thomas Lemberger,et al.  Plain random test generation with PRTest , 2020, International Journal on Software Tools for Technology Transfer.

[10]  Philippa Gardner,et al.  Gillian, part i: a multi-language platform for symbolic execution , 2020, PLDI.

[11]  Malte Lochau,et al.  HybridTiger: Hybrid Model Checking and Domination-based Partitioning for Efficient Multi-Goal Test-Suite Generation (Competition Contribution) , 2020, FASE.

[12]  Gidon Ernst,et al.  Legion: Best-First Concolic Testing (Competition Contribution) , 2020, FASE.

[13]  Joxan Jaffar,et al.  TracerX: Dynamic Symbolic Execution with Interpolation (Competition Contribution) , 2020, FASE.

[14]  Hoang M. Le,et al.  LLVM-based Hybrid Fuzzing with LibKluzzer (Competition Contribution) , 2020, FASE.

[15]  Alex Groce,et al.  Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Umakishore Ramachandran,et al.  An execution model for serverless functions at the edge , 2019, IoTDI.

[17]  Dirk Beyer,et al.  CoVeriTest: Cooperative Verifier-Based Testing , 2019, FASE.

[18]  Dirk Beyer,et al.  International Competition on Software Testing (Test-Comp) , 2019, TACAS.

[19]  Philippa Gardner,et al.  JaVerT 2.0: compositional symbolic execution for JavaScript , 2019, Proc. ACM Program. Lang..

[20]  Philippa Gardner,et al.  A Program Logic for First-Order Encapsulated WebAssembly , 2018, ECOOP.

[21]  Julian Dolby,et al.  Symbolic Execution for JavaScript , 2018, PPDP.

[22]  Deian Stefan,et al.  CT-wasm: type-driven secure cryptography for the web ecosystem , 2018, Proc. ACM Program. Lang..

[23]  Artidoro Pagnoni,et al.  Taint Tracking for WebAssembly , 2018, ArXiv.

[24]  Raymond Lin,et al.  TaintAssembly: Taint-Based Information Flow Control Tracking for WebAssembly , 2018, ArXiv.

[25]  Conrad Watt,et al.  Mechanising and verifying the WebAssembly specification , 2018, CPP.

[26]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[27]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[28]  Koushik Sen,et al.  MultiSE: multi-path symbolic execution using value summaries , 2015, ESEC/SIGSOFT FSE.

[29]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[30]  Bo Yang,et al.  Conpy: Concolic Execution Engine for Python Applications , 2014, ICA3PP.

[31]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[32]  Josef Bacik,et al.  BTRFS: The Linux B-Tree Filesystem , 2013, TOS.

[33]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[34]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[35]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[36]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[37]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[38]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.

[39]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[40]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[41]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[42]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[43]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[44]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[45]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[46]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[47]  Paul Havlak,et al.  Nesting of reducible and irreducible loops , 1997, TOPL.

[48]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[49]  Philippa Gardner,et al.  Two Mechanisations of WebAssembly 1.0 , 2021, FM.

[50]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.

[51]  Daniel Lehmann,et al.  Everything Old is New Again: Binary Security of WebAssembly , 2020, USENIX Security Symposium.

[52]  M. R. Kumar VeriFuzz: Program Aware Fuzzing , 2019 .

[53]  Standard for Floating-Point Arithmetic , 2018 .