After the discovery of Spectre and Meltdown attacks, browser creators added new protections to defend against attacks. But WebAssembly code might undo all their hard work.
For example, Mozilla reduced the precision of performance.now() to 20 microseconds as of Firefox 57, with that being reduced further to 2 milliseconds by default as of Firefox 59, though users can enable an additional setting in Privacy Settings to resist user fingerprinting, which reduces the precision to 100 milliseconds. This worked because Spectre and Meltdown, as side-channel attacks, require precise observation and manipulation of timers in order to be successfully exploited.
In a recent blog post, Forcepoint's John Bergbom cited the potential of a future version of WebAssembly gaining support for threads with shared memory as being able to bypass the restrictions in timer accuracy implemented earlier this year, though the WebAssembly developers are holding off on introducing the feature to avoid it being used for a high-precision timer as part of a Spectre attack.
SEE: System update policy (Tech Pro Research)
Additionally, "there are not many publicly available tools for analyzing Wasm binaries," Bergbom said in the post. "Similarly, hardly any documentation exists on how to analyze a Wasm application at this time. This means that, largely, an unknown Wasm application can be a bit of a black box to a human analyst. The researcher may need to resort to analyzing only the network traffic, without being able to understand the inner workings of the code."
WebAssembly has also been seen as a vector for browser-based cryptojacking attacks, as the performance gains that WebAssembly offers greatly increase the return on investment of such attacks.
The big takeaways for tech leaders:
- Because WebAssembly is a non-human-readable format, it presents a greater challenge for security researchers, and gives malicious actors more cover to deploy attacks.
- Browser vendors reduced the accuracy of timers, and limited the ability to construct high-precision timers through other means, in an attempt to mitigate risk of Spectre attacks.
- 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
- Google to remove "secure" indicator from HTTPS pages on Chrome (ZDNet)
- Firefox Quantum: A cheat sheet for professionals (TechRepublic)
- Cryptocurrency-mining malware: Why it is such a menace and where it's going next (ZDNet)
- Nearly 50K websites infected with cryptocurrency mining malware, research finds (TechRepublic)