Is WebAssembly the New Adobe Flash?
As we all know, every Wasm program is considered closed source software just like Adobe Flash apps and for some reasons I'm getting a little spooky because compared to JavaScript everything looks transparent, even with obfuscated scripts I personally can still understand how everything works and can easily detect malware inside every codebase. Now WebAssembly is like Flash and I think everything will get scarier because you can't see what's under the hood and many companies and hackers will try to exploit things just like Flash apps and even the most paranoid developer somehow will not detect a hidden malware. Is it just me or dark ages are coming on how we build web applications?
Edit: I forgot to mention that 3 of the 4 companies involved are closed source lovers. Don't get me wrong, last time I checked Android and Chrome were partially open source and you don't have actually full control of everything.
5 comments
[ 3.2 ms ] story [ 24.9 ms ] threadIn particular from an attacker standpoint the attack surface of wasm is the same (actually smaller) as that of Javascript.
From the point of view of obfuscated code that wasm is worse than javascript, but I am not so sure that it is so much worse than C compiled to asm.js (that had to simulate arbitrary pointers anyway)
All in all for now the main malware using wasm are crypto mining bots.
As an update: The problem with closed source on the web is in great part that SaaS providers can circumvent GPL (which is the reason the AGPL was created) not particularly the fact Javascript can be obfuscated
If I remember correctly Google's reCaptcha work by interpreting encrypted instructions on an also encrypted interpreters that is Just-In-Time-Decrypted. Also it is entirely possible (and easy) to fully write an interpreter for wasm in Javascript. From an explot perspective literally the only thing that wasm provides is performance (hence the crypto bots).
The reason for vulnerabilities in Flash and Java was that the plugins were running in a different non-sandboxed (or badly sandboxed) process. The inability to inspect the Flash/Java binary was only relevant because of the many many bugs and exploits available in the runtime.
The reason being that both Flash and Java (and every other plugin) provided functionality completely absent in browsers (one example was the ability to open system-level network connections), this functionality was not sandboxed enough.
From a security perspective it was almost close to running `make install` instead of `ls` on a random project from github.
The reason people are confident in wasm security model is because it is almost implemented as a Javascript function that just manipulates ArrayBuffers.
There are currently proposals on the way to actually increas the reach of wasm code and allow a deeper level of interaction with the host environment, but (with the exception of threads) they all only offer functionality already exposed to Javascript