[cdetrio]

This is exciting for the Ewasm team (Ethereum WebAssembly). We're hoping this new single-pass compilation in Liftoff won't be vulnerable to JIT bombs, which are wasm modules that take a lot longer to compile than they do to execute. JIT bombs would be DoS attack vectors on Ethereum clients using JIT wasm engines, and we found some v8 JIT bombs through fuzz testing some months ago.

I gave a talk about it back in June. Slides: https://docs.google.com/presentation/d/1n75Mo09HmyruV5S7q0cH... video: https://youtu.be/2eISBAbT3GM?t=1h22m3s

[miohtama]

Aa EOS is already leveraging WASM, do you know if they implement any hardening against these? I know they use wall clock measurements for some operations.

[cdetrio]

I mention in the talk that our fuzz tester, Guido Vranken, moved on to fuzzing WAVM (the wasm jit engine used in EOS) after v8. He earned some bounties (only some of them were related to WAVM) and several articles were written about it. I believe WAVM has some constants that can be set low enough to prevent JIT bombs, but I didn't follow the details so I'm not sure. Check out this commit, in particular the changes to WASMSerialization.cpp: https://github.com/EOSIO/eos/commit/af02ebba5d5797b6dcc2f06b...