I got many crash samples while fuzzing the mini-loader of the WAMR project. I would like to know what are the advantages of mini-loader over normal loader? I noticed a discussion in issue https://github.com/bytecodealliance/wasm-micro-runtime/issues/569, and I think a memory corruption vulnerability in the mini-loader could lead to arbitrary code execution if the mini-loader is used on some devices. I'm wondering if the vulnerabilities in mini-loader would be considered security issues and assigned CVEs?
@P1umer the mini-loader was designed for reducing the binary size for some embedded environments. It assumes the wasm module is protected by signature, so the module sanity check is largely removed from the loading phase.
If the fuzzing test is loading invalid wasm modules, it is expected behavior.
It looks like more descriptions for mini-loader should be provided in GitHub repo.
Well, this design poses a supply chain security threat. If the signature authority is compromised, it may hack into several downstream devices. So some key security checks are necessary I think.
Yes, the system designers should be aware of such threats and provide necessary mitigations from the system level.
Could you give us an example of "a supply chain security threat" mentioned above?
I don't have an example of an actual supply chain attack at the moment, but by enabling the mini-loader, it is possible to cause memory corruption in WAMR, and I think some basic security patches are still necessary and probably won't have a huge impact on performance.
The design of wamr is very similar to ebpf I think. And the mini-loader is not security hardened for performance, the only guarantee is through the signature mechanism. Then if the signature authority is hacked, the wasm module with exploit capability can damage more wamr-loaded devices by forging signatures.
I don't think users can be exposed to this kind of threat. So I think the mini-loader should be disabled or harden it with some security checks.
@P1umer The mini-loader is designed to reduce the binary size and doesn't check the integrity of the wasm file, developer must check it by himself, which has been mentioned in the document:
https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wamr.md#enable-wasm-mini-loader
The wasm_loader.c and wasm_mini_loader.c are somewhat like online verifier mode and offline verifier mode. If developer wants to check the file integrity online, he can just use the former. But if he wants to reduce the binary size, he can use the latter, but he must ensure that the wasm file is well-formed by himself, e.g. using other tools to check.
okay, hope other developers can take this seriously.
Last updated: Dec 23 2024 at 13:07 UTC