Abstract

WebAssembly seeks to provide an alternative to running large and untrusted binaries within web browsers by implementing a portable, performant, and secure bytecode format for native web computation. However, WebAssembly is largely unstudied from a security perspective. In this work, we build the first WebAssembly virtual machine that runs in native JavaScript, and implement a novel taint tracking system that allows a user to run untrusted WebAssembly code while monitoring the flow of sensitive data through the application. We also introduce indirect taint, a label that denotes the implicit flow of sensitive information between local variables. Through rigorous testing and validation, we show that our system is correct, secure, and relatively efficient, benefiting from the native performance of WebAssembly while retaining precise security guarantees of more mature software paradigms.