Skip to main content
SpringerLink
Log in

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

WebAssembly, or Wasm for short, is a new, low-level language that allows for near-native execution performance and is supported by all major browsers as of today. In comparison to JavaScript it offers faster transmission, parsing, and execution times. Up until now it has, however, been largely unclear what WebAssembly is used for in the wild. In this paper, we thus conduct the first large-scale study on the Web. For this, we examine the prevalence of WebAssembly in the Alexa Top 1 million websites and find that as many as 1 out of 600 sites execute Wasm code. Moreover, we perform several secondary analyses, including an evaluation of code characteristics and the assessment of a Wasm module’s field of application. Based on this, we find that over 50 % of all sites using WebAssembly apply it for malicious deeds, such as mining and obfuscation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Statistics from http://caniuse.com in January 2019.

  2. 2.

    http://s3.amazonaws.com/alexa-static/top-1m.csv.zip (from 21. December 2018).

  3. 3.

    A lower rank means a more popular site, e.g. google.com has rank 1.

  4. 4.

    https://github.com/mnater/Hyphenopoly/issues/13.

References

  1. AdGuard Research. Cryptocurrency mining affects over 500 million people. And they have no idea it is happening, October 2017. https://adguard.com/en/blog/crypto-mining-fever/

  2. Adobe Corporate Communications. Flash & the future of interactive content (2017). https://theblog.adobe.com/adobe-flash-update/

  3. Ali, S.T., Clarke, D., McCorry, P.: Bitcoin: perils of an unregulated global P2P currency. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 283–293. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26096-9_29

    Chapter  Google Scholar 

  4. ASM.js. Frequently asked questions, February 2019. http://asmjs.org/faq.html

  5. Barabási, A.-L., Freeh, V.W., Jeong, H., Brockman, J.B.: Parasitic computing. Nature 412, 894–897 (2001)

    Article  Google Scholar 

  6. ChromeDevTools. Chrome DevTools Protocol Viewer, May 2018. https://chromedevtools.github.io/devtools-protocol/

  7. Chromium Blog. Goodbye pnacl, hello webassembly! May 2017. https://blog.chromium.org/2017/05/goodbye-pnacl-hello-webassembly.html

  8. Clark, L.: What makes webassembly fast? February 2017. https://hacks.mozilla.org/2017/02/what-makes-webassembly-fast/

  9. CoinHive Documentation. JavaScript Miner, February 2019. https://coinhive.com/documentation/miner

  10. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the International World Wide Web Conference (WWW) (2010)

    Google Scholar 

  11. Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: Zozzle: Fast and precise in-browser javascript malware detection. In: Proceedings of USENIX Security Symposium (2011)

    Google Scholar 

  12. Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based cryptojacking. In: Proceedings of IEEE Security and Privacy on the Blockchain Workshop (2018)

    Google Scholar 

  13. Haas, A., et al.: Bringing the web up to speed with WebAssembly. In: Proceedings of ACM SIGPLAN International Conference on Programming Languages Design and Implementation (PLDI), pp. 185–200 (2017)

    Google Scholar 

  14. Hong, G., et al.: How you get shot in the back: a systematical study about cryptojacking in the real world. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), October 2018

    Google Scholar 

  15. Huang, D.Y., et al.: Botcoin: monetizing stolen cycles. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  16. Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of USENIX Security Symposium (2013)

    Google Scholar 

  17. Kim, K., et al.: J-force: forced execution on javascript. In: Proceedings of the International World Wide Web Conference (WWW) (2017)

    Google Scholar 

  18. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  19. Konoth, R.K., et al.: An in-depth look into drive-by mining and its defense. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), October 2018

    Google Scholar 

  20. Krebs, B.: Who and What Is Coinhive? March 2018. https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive

  21. Maisuradze, G., Backes, M., Rossow, C.: Dachshund: digging for and securing against (non-) blinded constants in JIT code. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2017)

    Google Scholar 

  22. McConnell, J.: Webassembly support now shipping in all major browsers, November 2017. https://blog.mozilla.org/blog/2017/11/13/webassembly-in-browsers/

  23. MDN Web Docs. Proxy, February 2019. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy

  24. Microsoft Windows Blogs. A break from the past, part 2: saying goodbye to activex, vbscript, attachevent, May 2015. https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/

  25. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system, May 2009. http://www.bitcoin.org/bitcoin.pdf

  26. Özkan, S.: CVE Details. http://www.cvedetails.com

  27. Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of Annual Computer Security Applications Conference (ACSAC) (2010)

    Google Scholar 

  28. Rodriguez, J.D.P., Posegga, J.: CSP & Co., Can Save Us from a Rogue Cross-Origin Storage Browser Network! But for How Long? In: Proceedings of ACM Conference on Data and Application Security and Privacy (CODASPY) (2018)

    Google Scholar 

  29. Rodriguez, J.D.P., Posegga, J.: Rapid: resource and api-based detection against in-browser miners. In: Proceedings of Annual Computer Security Applications Conference (ACSAC) (2018)

    Google Scholar 

  30. Rossberg, A.: Webassembly core specification. W3C First Public Working Draft, February 2018. https://www.w3.org/TR/2018/WD-wasm-core-1-20180215

  31. Rüth, J., Zimmermann, T., Wolsing, K., Hohlfeld O.: Digging into browser-based crypto mining. In: Proceeings of Internet Measurement Conference (IMC) (2018)

    Google Scholar 

  32. Salton, G., McGill, M.J.: Introduction to Modern Information Retrieval. McGraw-Hill (1986)

    Google Scholar 

  33. “Seigen”, Jameson, M., Nieminen, T., “Neocortex”, Juarez, A.M.: Cryptonight hash function. CryptoNote Standard 008, March 2008. https://cryptonote.org/cns/cns008.txt

  34. Stock, B., Livshits, B., Zorn, B.: Kizzle: a signature compiler for detecting exploit kits. In: Proceedings of Conference on Dependable Systems and Networks (DSN) (2016)

    Google Scholar 

  35. Tahir, R., et al.: Mining on someone else’s dime: mitigating covert mining operations in clouds and enterprises. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 287–310. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_13

    Chapter  Google Scholar 

  36. van Saberhagen, N.: Cryptonote v2.0. Technical report, CryptoNote, October 2013

    Google Scholar 

  37. W3C WebAssembly Community Group. Webassembly design documents, January 2019. https://webassembly.org

  38. Wang, W., Ferrell, B., Xu, X., Hamlen, K.W., Hao, S.: SEISMIC: secure in-lined script monitors for interrupting cryptojacks. In: Proceedings of European Symposium on Research in Computer Security (ESORICS) (2018)

    Chapter  Google Scholar 

  39. Wasabi. Dynamic Analysis Framework, February 2019. http://wasabi.software-lab.org

  40. Wressnegger, C., Yamaguchi, F., Arp, D., Rieck, K.: Comprehensive analysis and detection of flash-based malware. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 101–121. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_6

    Chapter  Google Scholar 

  41. Xu, W., Zhang, F., Zhu, S.: JStill: mostly static detection of obfuscated malicious javascript code. In: Proceedings of ACM Conference on Data and Application Security and Privacy (CODASPY) (2013)

    Google Scholar 

  42. Zakai, A.: Why webassembly is faster than asm.js, March 2017. https://hacks.mozilla.org/2017/03/why-webassembly-is-faster-than-asm-js/

Download references

Acknowledgments

The authors gratefully acknowledge funding from the German Federal Ministry of Education and Research (BMBF) under the project VAMOS (FKZ 16KIS0534) and FIDI (FKZ 16KIS0786K), and funding from the state of Lower Saxony under the project Mobilise.

Author information

Authors and Affiliations

  1. TU Braunschweig, Braunschweig, Germany

    Marius Musch, Christian Wressnegger, Martin Johns & Konrad Rieck

Authors
  1. Marius Musch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Wressnegger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Konrad Rieck
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marius Musch .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Musch, M., Wressnegger, C., Johns, M., Rieck, K. (2019). New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation