WASI differential fuzzing project · wasi

Stream: wasi

Topic: WASI differential fuzzing project

Yage Hu (Sep 18 2025 at 19:53):

Hi there! I'm a PhD student doing research around Wasm/WASI. Our recent work "WASIT: Deep and Continuous Differential Testing of WebAssembly System Interface Implementations" has been accepted to SOSP'25. My 5-second pitch for WASIT is that it's a resource-aware differential fuzzer for standalone WASI runtimes like Wasmtime and WasmEdge that has been very effective in uncovering WASI implementation bugs (three CVEs and many bugs found and fixed across multiple runtimes). We took inspiration from prior art such as OS kernel fuzzers like Syzkaller as well as model-based testing research. The high-level approach is:

We extend wasip1's witx format to include semantic constraints. They encode pre and post-conditions of WASI functions and model WASI types as resources with internal state.
We use an SMT solver to find satisfying assignments of WASI call parameters.
We compare the side effects (filesystem) of different Wasm runtimes under the same execution trace and flag inconsistencies.

Since the work was done quite a while ago, we use the outdated witx format and we only target preview1. But I believe our methodology can be generalized to p2 and beyond even though there are quite a lot of technical challenges (preview2 introduced many new features and much more complex semantics like async).

Our goal with this post is just to gauge the community interest in seeing this work continue. We think converging runtime behaviors where it makes sense is beneficial to the server-side Wasm ecosystem. Currently, the source code is only a research artifact, it's very messy and not by any means ready for normal use.

WASIT differ from prior Wasm testing approaches in a couple of ways:

Tools like wasm-smith are more instruction-focused. It's much harder to exercise meaningful imported function calls or WASI.
There are a couple of recent WASI testing projects like (DrWasi). We found our resource-based testing approached combined with semantic constraints make false positives a lot more tractable. And we can reach much deeper system state by creating longer call chains.

GitHub - yagehu/wasit

Contribute to yagehu/wasit development by creating an account on GitHub.

Yage Hu (Sep 18 2025 at 19:54):

sosp25-final248.pdf

Ralph (Sep 19 2025 at 09:50):

uh... YES?

Chris Fallin (Sep 19 2025 at 17:21):

This is really interesting work @Yage Hu !

At least in the Wasmtime project we're happy to collaborate on testing/fuzzing/verification/... -- as you probably know we've done a good amount of that on the compiler side, etc. Please don't hesitate to ask questions!

Also there's recent work building a comprehensive test suite for modern WASI by @Andy Wingo -- generally that sort of thing is complementary to fuzzing, but just thought I should mention in case, e.g., there are any interesting spec-corner-case or other questions that come up.

Last updated: Dec 06 2025 at 06:05 UTC