Stream: wamr

Topic: Security issues in mini-loader


view this post on Zulip P1umer (Jul 16 2022 at 09:52):

I got many crash samples while fuzzing the mini-loader of the WAMR project. I would like to know what are the advantages of mini-loader over normal loader? I noticed a discussion in issue https://github.com/bytecodealliance/wasm-micro-runtime/issues/569, and I think a memory corruption vulnerability in the mini-loader could lead to arbitrary code execution if the mini-loader is used on some devices. I'm wondering if the vulnerabilities in mini-loader would be considered security issues and assigned CVEs?

saw this in the config, curious what is the difference between mini-loader and normal loader.

view this post on Zulip Wang Xin (Jul 16 2022 at 23:32):

@P1umer the mini-loader was designed for reducing the binary size for some embedded environments. It assumes the wasm module is protected by signature, so the module sanity check is largely removed from the loading phase.

If the fuzzing test is loading invalid wasm modules, it is expected behavior.

It looks like more descriptions for mini-loader should be provided in GitHub repo.

view this post on Zulip P1umer (Jul 17 2022 at 01:02):

Well, this design poses a supply chain security threat. If the signature authority is compromised, it may hack into several downstream devices. So some key security checks are necessary I think.

view this post on Zulip Wang Xin (Jul 17 2022 at 02:33):

Yes, the system designers should be aware of such threats and provide necessary mitigations from the system level.

view this post on Zulip lum1n0us (Jul 18 2022 at 03:57):

Could you give us an example of "a supply chain security threat" mentioned above?

view this post on Zulip P1umer (Jul 18 2022 at 06:25):

I don't have an example of an actual supply chain attack at the moment, but by enabling the mini-loader, it is possible to cause memory corruption in WAMR, and I think some basic security patches are still necessary and probably won't have a huge impact on performance.

view this post on Zulip P1umer (Jul 18 2022 at 06:38):

The design of wamr is very similar to ebpf I think. And the mini-loader is not security hardened for performance, the only guarantee is through the signature mechanism. Then if the signature authority is hacked, the wasm module with exploit capability can damage more wamr-loaded devices by forging signatures.

view this post on Zulip P1umer (Jul 18 2022 at 06:44):

I don't think users can be exposed to this kind of threat. So I think the mini-loader should be disabled or harden it with some security checks.

view this post on Zulip Wenyong Huang (Jul 18 2022 at 06:44):

@P1umer The mini-loader is designed to reduce the binary size and doesn't check the integrity of the wasm file, developer must check it by himself, which has been mentioned in the document:
https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wamr.md#enable-wasm-mini-loader

The wasm_loader.c and wasm_mini_loader.c are somewhat like online verifier mode and offline verifier mode. If developer wants to check the file integrity online, he can just use the former. But if he wants to reduce the binary size, he can use the latter, but he must ensure that the wasm file is well-formed by himself, e.g. using other tools to check.

WebAssembly Micro Runtime (WAMR). Contribute to bytecodealliance/wasm-micro-runtime development by creating an account on GitHub.

view this post on Zulip P1umer (Jul 18 2022 at 06:52):

okay, hope other developers can take this seriously.


Last updated: Dec 23 2024 at 13:07 UTC