Hi guys, I got a weird but hopefully interesting question. Suppose a WASM module calls a HostFunctionl, and wasmtime or other WASM runtime implements the host function by calling an external program. Can this external program do something hacky (like look at the call stack) and infer the linear memory start address of the caller WASM module?
I know it would be trivial if wasmtime just tell the external module, but from security aspect, my project want to do this in a more trusted place, if that's possible.
Or if it's possible to make all Linear Memory start address 32bit aligned, will this make inference more possible? Thank you!
@Coulson Liang I don't think you need to do any reverse-engineering; the Wasmtime API on the host side lets you see slices of any exported memory, and from that you can get the address in host address space directly
Yes I know that and tried that working. For some security reason, we want to check who is calling and where did the call come from by ourselves, without any information from the runtime, so I'm wondering if there are some hacky way to infer that information.
Not entirely sure what you're asking: the runtime calls a host function, so it has to be trusted (any state you could use to determine the caller ultimately comes from the runtime)
Can you describe the security problem at a higher level? What's the threat model? What's in the TCB, and what's not?
Never mind, I just persuaded my boss to take the runtime as part of TCB, sorry for posting this weird question. Previously on other systems we look at the stack and infer where the call is from, but this doesn't make sense for Wasm at all.
Coulson Liang has marked this topic as resolved.
Last updated: Dec 23 2024 at 14:03 UTC