[dreae]

This has to be some of the thinnest gruel I've read in a while. The entire premise of the article is that the "dark side" of WebAssembly is that "security" products can't do string matching against compiled code.

Case 1: People can write scams that "security" products can't block because WebAssembly somewhat obfuscates the code. The comparison to scanning WASM in a "security" product is like opening an executable in a text editor is laughable.

Case 2: People can write website keyloggers in WASM and it will be obfuscated against "security" products. Alternatively the bad guys could just obfuscate plain old JavaScript, or any number of other techniques to exfiltrate data. If people are executing malicious WASM on your website you're already owned.

The only one of their points that has any merit is that WASM implementations increase the attack surface of the browser. This is ostensibly true, as do all new features. Fortunately the major browser vendors have competent engineers dedicated to testing their software for vulnerabilities.

[threatofrain]

I would also argue that security should not depend on your ability to introspect into code, because whether code is treating data according to the user's expectations isn't something that's going to be statically analyzable.

The interface which consumes the code should be safe.

[contravariant]

Furthermore almost any programming language is going to be pretty much impossible to analyse the behaviour of. There are are some pretty fancy theorems about incomputability, but really it's just because you can build a compiler that reads obfuscated byte code.

Forget not being able to use string matching, there are no programs capable of predicting the behaviour of programs without effectively running it in a sandbox.

[marcosdumay]

> The only one of their points that has any merit is that WASM implementations increase the attack surface of the browser. This is ostensibly true, as do all new features.

If things go following to what seems to be the plan, and the JS interpreter is replaced by one that compiles into WASM, it will severy reduce the attack surface. The WASM VM is much simpler than a JS interpreter.

But well, of course, that's a long time in the future. Up to then, you are correct.

[jrumbut]

You're definitely right, string inspection of JavaScript is not really a thing, I'm not aware of it being done and it wouldn't be reliable unless you had something that powerful than a regex.

I will say though, that I have seen some products out there today that work by rendering text as pixels on a <canvas>, so that accessibility if you can't read it with your eyes, searchability, discoverability, etc are nonexistent.

This is something WASM could inadvertently encourage a higher percentage of products to use for whatever purpose. Same thing people did with flash.

[_bxg1]

Yeah, I expected it to say WASM somehow makes browsers intrinsically more vulnerable to exploits despite the sandboxing. But this is definitely reaching.

[cryptica]

I disagree because obfuscated JavaScript would already be suspicious as it is not that widespread as an industry practice. The standard industry practice for JS is minification, not obfuscation; so you can still see what functions are called and any developer can quickly identify if there is a suspicious looking AJAX request to a strange URL.

With WASM, you can't see anything. It's a complete black box. It's a lot easier for a hacker to hide stuff from users. It's easier to sneak in malicious code and it's harder to identify and remove it.

[bexsella]

Minification is a form of obfuscation, and a lot of libraries and commonly used scripts are purposely completely unreadable. show_ads.js, for example, is nonsense, so it's not unreasonable for a hacker to sneak into ad code, insert some dubious lines of code that does more or less anything they'd want. There are easy was to mitigate this for sure, but it doesn't seem that WASM makes this point worse. Surely you could just as easily spot an AJAX request from a strange URL while utilising WASM too?

[Silhouette]

With WASM, you can't see anything. It's a complete black box.

That isn't a problem in itself, as long as the only mechanisms for the black box to interact with anything else are well-defined and properly secured.

Put another way, I shouldn't need to decompile arbitrary WASM code downloaded by some site I visit, as long it's only allowed to do anything through APIs that I'm happy with.