1、Standing on the Shoulders of GiantsDe-Obfuscating WebAssembly Using LLVMVikas Gupta&Peter GarbaThales Cybersecurity&Digital Identity(CDI)Agenda2About UsVikas GuptaSenior Security Researcher at Thales CDI,previously with Google.Masters in information security,OSCP CertifiedCo-Author OWASP Mobile Secu
2、rity Testing Guide(MSTG)Interests:Reverse engineering,mobile securityPeter GarbaPrincipal Software Security Engineer at Thales CDI,SingaporeProduct OwnerAuthor of the Thales internal obfuscation toolsPassionate reverse engineer at night.3Motivation4Problem Statement1.Is Wasm secure for us?2.Obfuscat
3、e Wasm binaries3.Lifting Wasm to LLVM IR4.Deobfuscate Wasm binaries&recover original logic 5AchievementsDemonstrating use of existing tooling for WasmObfuscationDeobfuscationLifting Wasm to LLVM IR-SquanchyAutomated deobfuscation of Wasm6WebAssembly Essentials7WebAssembly EssentialsAnnounced in 2015
4、,a high-performance,secure,and portable compilation target.Binaries that are compact and quick to parse.Runs in a stack based virtual machine(think JVM)Communicates with host program using well defined exports and importsWide adoptionGamesBig web apps-Google EarthBlockchain smart contracts.8WebAssem
5、bly EssentialsEach Wasm program is a single file of code-Module.Module is organized in sections.Sections-Export,imports,globals,functions etc.Indexed SpacesItems can be accessed by a 0-based integer indexCode and data spaces are disjoint compiled programs cannot corrupt their execution environmentCa
6、n not jump to arbitrary locationsPerform other undefined behaviour9WebAssembly Tooling10WebAssembly ToolingWebAssembly Binary Toolkit Wasm-toolsGhidraUsing a Wasm pluginUsed to view decompiled Wasm IDA Pro v9 It is hit-n-miss with WasmUsing to view object filesJEB Pro11WebAssembly Obfuscation12Obfus