{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T16:27:15Z","timestamp":1783096035887,"version":"3.54.6"},"reference-count":96,"publisher":"Association for Computing Machinery (ACM)","issue":"ISSTA","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,22]]},"abstract":"<jats:p>WebAssembly enables fast execution of performance-critical in web applications utilizing native code. However, recent research has demonstrated the potential for memory corruption errors within WebAssembly modules to exploit web applications. In this work, we present the first systematic analysis of memory corruption in WebAssembly, unveiling the prevalence of a novel threat model where memory corruption enables code injection on a victim\u2019s browser. Our large-scale analysis across 37797 domains reveals that an alarming 29411 (77.81%) of those fully trust data coming from potentially attacker-controlled sources. As a result, an attacker can exploit memory errors to manipulate the WebAssembly memory, where the data is implicitly trusted and frequently passed into security-sensitive functions such as eval or directly into the DOM via innerHTML. Thus, an attacker can abuse this trust to gain JavaScript code execution, i.e., Cross-Site Scripting (XSS).<\/jats:p>\n          <jats:p>To tackle this issue, we present Wemby, the first viable approach to efficiently analyze WebAssembly-powered websites holistically. We demonstrate that Wemby is proficient at detecting remotely exposed memory corruption errors in web applications through fuzzing. For this purpose, we implement binary-only WebAssembly instrumentation that provides fine-grained memory corruption oracles. We applied Wemby to different websites, uncovering several memory corruption bugs, including one on the Zoom platform. In terms of performance, our ablation study demonstrates that Wemby outperforms current WebAssembly fuzzers. Specifically, Wemby achieves an average speed improvement of 232 times and delivers 46% greater code coverage compared to the state-of-the-art.<\/jats:p>","DOI":"10.1145\/3728937","type":"journal-article","created":{"date-parts":[[2025,6,22]],"date-time":"2025-06-22T10:52:56Z","timestamp":1750589576000},"page":"1326-1349","source":"Crossref","is-referenced-by-count":2,"title":["Wemby\u2019s Web: Hunting for Memory Corruption in WebAssembly"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-6065-8087","authenticated-orcid":false,"given":"Oussama","family":"Draissi","sequence":"first","affiliation":[{"name":"University of Duisburg-Essen, Essen, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3682-0197","authenticated-orcid":false,"given":"Tobias","family":"Cloosters","sequence":"additional","affiliation":[{"name":"University of Duisburg-Essen, Essen, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8468-8516","authenticated-orcid":false,"given":"David","family":"Klein","sequence":"additional","affiliation":[{"name":"TU Braunschweig, Braunschweig, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-3082-4345","authenticated-orcid":false,"given":"Michael","family":"Rodler","sequence":"additional","affiliation":[{"name":"Amazon Web Services, D\u00fcsseldorf, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6894-1008","authenticated-orcid":false,"given":"Marius","family":"Musch","sequence":"additional","affiliation":[{"name":"TU Braunschweig, Braunschweig, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2574-5060","authenticated-orcid":false,"given":"Martin","family":"Johns","sequence":"additional","affiliation":[{"name":"TU Braunschweig, Braunschweig, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7322-2777","authenticated-orcid":false,"given":"Lucas","family":"Davi","sequence":"additional","affiliation":[{"name":"University of Duisburg-Essen, Essen, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,6,22]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1609956.1609960"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","unstructured":"Zubair Ahmad Stefano Calzavara Samuele Casarin and Ben Stock. 2024. Information flow control for comparative privacy analyses. doi:10.1007\/s10207-024-00886-0 10.1007\/s10207-024-00886-0","DOI":"10.1007\/s10207-024-00886-0"},{"key":"e_1_2_1_3_1","unstructured":"Amazon Interactive Video Service (IVS). Accessed: 2024-09-01 https:\/\/aws.amazon.com\/ivs\/"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568293"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3689787"},{"key":"e_1_2_1_6_1","volume-title":"Camil Demetrescu, and Irene Finocchi.","author":"Baldoni Roberto","year":"2018","unstructured":"Roberto Baldoni, Emilio Coppa, Daniele Cono D\u2019elia, Camil Demetrescu, and Irene Finocchi. 2018. A Survey of Symbolic Execution Techniques. ACM Comput. Surv., 51."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447852.3458718"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"e_1_2_1_9_1","volume-title":"USENIX Security Symposium.","author":"Bosamiya Jay","year":"2022","unstructured":"Jay Bosamiya, Wen Shih Lim, and Bryan Parno. 2022. Provably-Safe Multilingual Software Sandboxing using WebAssembly. In USENIX Security Symposium."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2024-0092"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102745"},{"key":"e_1_2_1_12_1","unstructured":"Cristian Cadar Daniel Dunbar and Dawson R Engler. 2008. Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985995"},{"key":"e_1_2_1_14_1","unstructured":"Calling JavaScript from C\/C++. Accessed: 2024-09-01 https:\/\/emscripten.org\/docs\/porting\/connecting_cpp_and_javascript\/Interacting-with-code.html"},{"key":"e_1_2_1_15_1","unstructured":"Canvaskit: Skia is a complete 2D graphic library for drawing Text Geometries and Images. Accessed: 2024-09-01 https:\/\/skia.org\/docs\/user\/modules\/canvaskit\/"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3680358"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyw005"},{"key":"e_1_2_1_18_1","unstructured":"Chrome Platform Status. Accessed: 2024-2-22 https:\/\/chromestatus.com\/metrics\/feature\/timeline\/popularity\/2237"},{"key":"e_1_2_1_19_1","volume-title":"SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing. In USENIX Security Symposium.","author":"Cloosters Tobias","year":"2022","unstructured":"Tobias Cloosters, Johannes Willbold, Thorsten Holz, and Lucas Davi. 2022. SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing. In USENIX Security Symposium."},{"key":"e_1_2_1_20_1","unstructured":"Control Flow Guard. Accessed: 2024-09-01 https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/SecBP\/control-flow-guard"},{"key":"e_1_2_1_21_1","volume-title":"StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium.","author":"Cowan Crispin","year":"1998","unstructured":"Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","unstructured":"D Crocker. 1997. Mailbox names for common services roles and functions. RFC Editor. doi:10.17487\/rfc2142 10.17487\/rfc2142","DOI":"10.17487\/rfc2142"},{"key":"e_1_2_1_23_1","unstructured":"DataFlowSanitizer. Accessed: 2024-09-01 https:\/\/clang.llvm.org\/docs\/DataFlowSanitizer.html"},{"key":"e_1_2_1_24_1","volume-title":"USENIX Security Symposium.","author":"Davi Lucas","year":"2014","unstructured":"Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security Symposium."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3680389"},{"key":"e_1_2_1_26_1","unstructured":"FingerprintJS: Browser fingerprinting library. Accessed: 2024-09-01 https:\/\/fingerprint.com"},{"key":"e_1_2_1_27_1","volume-title":"USENIX Workshop on Offensive Technologies (WOOT).","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Maier, Heiko Ei\u00dffeldt, and Marc Heuse. 2020. AFL++: Combining Incremental Steps of Fuzzing Research. In USENIX Workshop on Offensive Technologies (WOOT)."},{"key":"e_1_2_1_28_1","unstructured":"Jonathan Foote. Hijacking the control flow of a WebAssembly program. Accessed: 2024-09-01 https:\/\/www.fastly.com\/blog\/hijacking-control-flow-webassembly"},{"key":"e_1_2_1_29_1","first-page":"01050","article-title":"TaintAssembly","volume":"1802","author":"Fu William","year":"2018","unstructured":"William Fu, Raymond Lin, and Daniel Inge. 2018. TaintAssembly: Taint-Based Information Flow Control Tracking for WebAssembly. 1802.01050.","journal-title":"Taint-Based Information Flow Control Tracking for WebAssembly."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24290"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380428"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3062341.3062363"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23263"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3517745.3561437"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503921.3503924"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3685300"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598064"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450138"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243840"},{"key":"e_1_2_1_40_1","volume-title":"USENIX Security Symposium.","author":"Hu Hong","year":"2015","unstructured":"Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic generation of data-oriented exploits. In USENIX Security Symposium."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.62"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3652141"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238177"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179357"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24078"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24308"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00098"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179403"},{"key":"e_1_2_1_49_1","volume-title":"USENIX Security Symposium.","author":"Khodayari Soheil","year":"2021","unstructured":"Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals.. In USENIX Security Symposium."},{"key":"e_1_2_1_50_1","volume-title":"Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting. In USENIX Security Symposium.","author":"Kirchner Robin","year":"2024","unstructured":"Robin Kirchner, Jonas M\u00f6ller, Marius Musch, David Klein, Konrad Rieck, and Martin Johns. 2024. Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting. In USENIX Security Symposium."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP53844.2022.00023"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243858"},{"key":"e_1_2_1_53_1","volume-title":"USENIX Security Symposium.","author":"Lehmann Daniel","year":"2020","unstructured":"Daniel Lehmann, Johannes Kinder, and Michael Pradel. 2020. Everything Old is New Again: Binary Security of WebAssembly. In USENIX Security Symposium."},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/3519939.3523449"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304068"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598104"},{"key":"e_1_2_1_57_1","volume-title":"Martin Toldam Torp, and Michael Pradel","author":"Lehmann Daniel","year":"2021","unstructured":"Daniel Lehmann, Martin Toldam Torp, and Michael Pradel. 2021. Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly. 2110.15433."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623205"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00051"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3395351.3399360"},{"key":"e_1_2_1_62_1","unstructured":"Brian McFadden Tyler Lukasiewicz Jeff Dileo and Justin Engler. 2018. Security chasms of wasm."},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","unstructured":"Marius Musch Christian Wressnegger Martin Johns and Konrad Rieck. 2019. New kid on the web: A study on the prevalence of WebAssembly in the wild. In Detection of Intrusions and Malware and Vulnerability Assessment. doi:10.1007\/978-3-030-22038-9_2 10.1007\/978-3-030-22038-9_2","DOI":"10.1007\/978-3-030-22038-9_2"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3339261"},{"key":"e_1_2_1_66_1","volume-title":"USENIX Security Symposium.","author":"Narayan Shravan","year":"2020","unstructured":"Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting fine grain isolation in the Firefox renderer. In USENIX Security Symposium."},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_2_1_68_1","unstructured":"Aleph One. 1996. Smashing the stack for fun and profit. Phrack magazine 7 49 14-16."},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00094"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP57164.2023.00034"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.39"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833626"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583235"},{"key":"e_1_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.51"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_2_1_76_1","volume-title":"Network and Distributed System Security Symposium (NDSS).","author":"Sekar R.","year":"2009","unstructured":"R. Sekar. 2009. An Efficient Black-box Technique for Defeating Web Application Attacks.. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_2_1_77_1","volume-title":"Proceedings of the 2012 USENIX conference on Annual Technical Conference (ATC\u201912)","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: a fast address sanity checker. In Proceedings of the 2012 USENIX conference on Annual Technical Conference (ATC\u201912)."},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623178"},{"key":"e_1_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.45"},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24028"},{"key":"e_1_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23009"},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM51674.2020.00007"},{"key":"e_1_2_1_84_1","volume-title":"How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium.","author":"Stock Ben","year":"2017","unstructured":"Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium."},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23171"},{"key":"e_1_2_1_86_1","volume-title":"USENIX Security Symposium.","author":"Stock Ben","year":"2016","unstructured":"Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, you have a problem: On the feasibility of Large-Scale web vulnerability notification. In USENIX Security Symposium."},{"key":"e_1_2_1_87_1","volume-title":"Proc. of the ACM Conference on Computer and Communications Security (CCS).","author":"Stock Ben","year":"2015","unstructured":"Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies, and Martin Johns. 2015. From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting. In Proc. of the ACM Conference on Computer and Communications Security (CCS)."},{"key":"e_1_2_1_88_1","unstructured":"PaX Team. 2001. PaX Address Space Layout Randomization (ASLR). https:\/\/pax.grsecurity.net\/docs"},{"key":"e_1_2_1_89_1","unstructured":"wabt: The WebAssembly Binary Toolkit. Accessed: 2024-09-01 https:\/\/github.com\/WebAssembly\/wabt"},{"key":"e_1_2_1_90_1","unstructured":"Walrus: A WebAssembly transformation library. Accessed: 2024-09-01 https:\/\/github.com\/rustwasm\/walrus"},{"key":"e_1_2_1_91_1","unstructured":"WASI: WebAssembly System Interface. Accessed: 2024-09-01 https:\/\/wasi.dev\/"},{"key":"e_1_2_1_92_1","unstructured":"WebAssembly Security. In WebAssembly Security. Accessed: 2024-09-01 https:\/\/webassembly.org\/docs\/security\/"},{"key":"e_1_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1145\/3453483.3454054"},{"key":"e_1_2_1_94_1","unstructured":"Eric Zeng Frank Li Emily Stark A Felt and Parisa Tabriz. 2019. Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications."},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3680340"},{"key":"e_1_2_1_96_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00188"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3728937","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T16:51:32Z","timestamp":1752684692000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3728937"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,22]]},"references-count":96,"journal-issue":{"issue":"ISSTA","published-print":{"date-parts":[[2025,6,22]]}},"alternative-id":["10.1145\/3728937"],"URL":"https:\/\/doi.org\/10.1145\/3728937","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,22]]}}}