Abstract
WebAssembly, or Wasm for short, is a new, low-level language that allows for near-native execution performance and is supported by all major browsers as of today. In comparison to JavaScript it offers faster transmission, parsing, and execution times. Up until now it has, however, been largely unclear what WebAssembly is used for in the wild. In this paper, we thus conduct the first large-scale study on the Web. For this, we examine the prevalence of WebAssembly in the Alexa Top 1 million websites and find that as many as 1 out of 600 sites execute Wasm code. Moreover, we perform several secondary analyses, including an evaluation of code characteristics and the assessment of a Wasm module’s field of application. Based on this, we find that over 50 % of all sites using WebAssembly apply it for malicious deeds, such as mining and obfuscation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Statistics from http://caniuse.com in January 2019.
- 2.
http://s3.amazonaws.com/alexa-static/top-1m.csv.zip (from 21. December 2018).
- 3.
A lower rank means a more popular site, e.g. google.com has rank 1.
- 4.
References
AdGuard Research. Cryptocurrency mining affects over 500 million people. And they have no idea it is happening, October 2017. https://adguard.com/en/blog/crypto-mining-fever/
Adobe Corporate Communications. Flash & the future of interactive content (2017). https://theblog.adobe.com/adobe-flash-update/
Ali, S.T., Clarke, D., McCorry, P.: Bitcoin: perils of an unregulated global P2P currency. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 283–293. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26096-9_29
ASM.js. Frequently asked questions, February 2019. http://asmjs.org/faq.html
Barabási, A.-L., Freeh, V.W., Jeong, H., Brockman, J.B.: Parasitic computing. Nature 412, 894–897 (2001)
ChromeDevTools. Chrome DevTools Protocol Viewer, May 2018. https://chromedevtools.github.io/devtools-protocol/
Chromium Blog. Goodbye pnacl, hello webassembly! May 2017. https://blog.chromium.org/2017/05/goodbye-pnacl-hello-webassembly.html
Clark, L.: What makes webassembly fast? February 2017. https://hacks.mozilla.org/2017/02/what-makes-webassembly-fast/
CoinHive Documentation. JavaScript Miner, February 2019. https://coinhive.com/documentation/miner
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the International World Wide Web Conference (WWW) (2010)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: Zozzle: Fast and precise in-browser javascript malware detection. In: Proceedings of USENIX Security Symposium (2011)
Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based cryptojacking. In: Proceedings of IEEE Security and Privacy on the Blockchain Workshop (2018)
Haas, A., et al.: Bringing the web up to speed with WebAssembly. In: Proceedings of ACM SIGPLAN International Conference on Programming Languages Design and Implementation (PLDI), pp. 185–200 (2017)
Hong, G., et al.: How you get shot in the back: a systematical study about cryptojacking in the real world. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), October 2018
Huang, D.Y., et al.: Botcoin: monetizing stolen cycles. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2014)
Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of USENIX Security Symposium (2013)
Kim, K., et al.: J-force: forced execution on javascript. In: Proceedings of the International World Wide Web Conference (WWW) (2017)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of IEEE Symposium on Security and Privacy (2012)
Konoth, R.K., et al.: An in-depth look into drive-by mining and its defense. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), October 2018
Krebs, B.: Who and What Is Coinhive? March 2018. https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive
Maisuradze, G., Backes, M., Rossow, C.: Dachshund: digging for and securing against (non-) blinded constants in JIT code. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2017)
McConnell, J.: Webassembly support now shipping in all major browsers, November 2017. https://blog.mozilla.org/blog/2017/11/13/webassembly-in-browsers/
MDN Web Docs. Proxy, February 2019. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy
Microsoft Windows Blogs. A break from the past, part 2: saying goodbye to activex, vbscript, attachevent, May 2015. https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system, May 2009. http://www.bitcoin.org/bitcoin.pdf
Özkan, S.: CVE Details. http://www.cvedetails.com
Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of Annual Computer Security Applications Conference (ACSAC) (2010)
Rodriguez, J.D.P., Posegga, J.: CSP & Co., Can Save Us from a Rogue Cross-Origin Storage Browser Network! But for How Long? In: Proceedings of ACM Conference on Data and Application Security and Privacy (CODASPY) (2018)
Rodriguez, J.D.P., Posegga, J.: Rapid: resource and api-based detection against in-browser miners. In: Proceedings of Annual Computer Security Applications Conference (ACSAC) (2018)
Rossberg, A.: Webassembly core specification. W3C First Public Working Draft, February 2018. https://www.w3.org/TR/2018/WD-wasm-core-1-20180215
Rüth, J., Zimmermann, T., Wolsing, K., Hohlfeld O.: Digging into browser-based crypto mining. In: Proceeings of Internet Measurement Conference (IMC) (2018)
Salton, G., McGill, M.J.: Introduction to Modern Information Retrieval. McGraw-Hill (1986)
“Seigen”, Jameson, M., Nieminen, T., “Neocortex”, Juarez, A.M.: Cryptonight hash function. CryptoNote Standard 008, March 2008. https://cryptonote.org/cns/cns008.txt
Stock, B., Livshits, B., Zorn, B.: Kizzle: a signature compiler for detecting exploit kits. In: Proceedings of Conference on Dependable Systems and Networks (DSN) (2016)
Tahir, R., et al.: Mining on someone else’s dime: mitigating covert mining operations in clouds and enterprises. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 287–310. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_13
van Saberhagen, N.: Cryptonote v2.0. Technical report, CryptoNote, October 2013
W3C WebAssembly Community Group. Webassembly design documents, January 2019. https://webassembly.org
Wang, W., Ferrell, B., Xu, X., Hamlen, K.W., Hao, S.: SEISMIC: secure in-lined script monitors for interrupting cryptojacks. In: Proceedings of European Symposium on Research in Computer Security (ESORICS) (2018)
Wasabi. Dynamic Analysis Framework, February 2019. http://wasabi.software-lab.org
Wressnegger, C., Yamaguchi, F., Arp, D., Rieck, K.: Comprehensive analysis and detection of flash-based malware. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 101–121. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_6
Xu, W., Zhang, F., Zhu, S.: JStill: mostly static detection of obfuscated malicious javascript code. In: Proceedings of ACM Conference on Data and Application Security and Privacy (CODASPY) (2013)
Zakai, A.: Why webassembly is faster than asm.js, March 2017. https://hacks.mozilla.org/2017/03/why-webassembly-is-faster-than-asm-js/
Acknowledgments
The authors gratefully acknowledge funding from the German Federal Ministry of Education and Research (BMBF) under the project VAMOS (FKZ 16KIS0534) and FIDI (FKZ 16KIS0786K), and funding from the state of Lower Saxony under the project Mobilise.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Musch, M., Wressnegger, C., Johns, M., Rieck, K. (2019). New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)