Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint.
WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.
The technology is a compact binary language that a browser will convert into machine code and run it directly on the CPU.
All in all, the WebAssembly standard is viewed as a success in the web dev community, and there’ve been praises for it all around.
WebAssembly is not immune to abuse
Now, a Forcepoint researcher argues there could be another unintended side effect of WebAssembly for web users.
WebAssembly may bypass some browser mitigations
In this statement, Bergbom is more accurately referring to « timing attacks, » which are a class of side-channel attacks.
Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms.
The recently disclosed Meltdown and Spectre CPU vulnerabilities, along with their many variations are all timing attacks at their core.
They rely on the attacker’s ability to measure precise time intervals, a parameter needed to perform the side-channel attack and recover enough information from the encrypted blob of data to determine the rest.
Browsers previously addressed this issue in January
This attack code utilized browsers’ internal native functions for measuring time intervals, such as « SharedArrayBuffer » and « performance.now(). »
Browsers like Firefox and Chrome reacted by releasing updates that watered down the precision of these timer functions, rendering Meltdown and Spectre attacks, and other timing side-channel attacks, inefficient.
But now, Bergbom says that once support for « threads » is added in WebAssembly, and this feature reaches modern browsers, those mitigations will be rendered useless, as an attacker has a new avenue for measuring precise time, via WebAssembly.
Preventing this from happening requires that browser vendors take the same approach once more by limiting WebAssembly’s upcoming « threads » support to prevent attackers from crafting enough precise timers.
A member of the WebAssembly team has told Bleeping Computer that they are aware of this issue and have put this feature on hold, for the time being, albeit no consensus has been reached on what to do next.