Software Developers are Concerned About the Unintended Consequences of New Web Technologies

Newer web technologies like WebAssembly and Rust are helping to massively reduce the amount of time it takes for some client-side processes to complete when loading pages, but developers are now releasing new information that could lead to patches for these application platforms in the coming weeks.

Several additions and updates are planned for WebAssembly, which could hypothetically render some of the Meltdown and Spectre attack mitigations useless. A report put out by a researcher from Forcepoint insinuated that WebAssembly modules could be used for nefarious purposes and certain types of timing attacks might actually be made worse because of new routines that are intended to make the platform more accessible for coders.

Timing attacks are a subclass of side-channel exploits that allow a third-party observe to peek at encrypted data by figuring out how long it takes to execute a cryptographic algorithm. Meltdown, Spectre and other related CPU-based vulnerabilities are all examples of timing attacks.

The report suggests that WebAssembly would make these calculations that much easier. It’s already been used as an attack vector for installing cryptocurrency mining software without permission, and this might also be an area where new patches will be required to prevent further abuse. This could mean that patches for these updates may have to come out after they’re released to a majority of users.

Mozilla has attempted to mitigate the problem of timing attacks to some degree by turning down the precision of some performance counters, but new additions to WebAssembly could make this no longer effective since these updates could allow opaque code to execute on a user’s machine. This code could theoretically get written in a higher-level language first before it gets recompiled to the WASM bytecode format.

The team that develops Rust, a technology Mozilla itself has promoted, has introduced a five-step disclosure process as well as 24 hour email acknowledgements for all bug reports. While their security team appears to be quite small at the moment, this is more than likely somewhat similar to the approach that many newer application platform consortia will take when dealing with these sorts of issues.

End-users are urged, as always, to install relevant updates in order to reduce the overall risk of developing vulnerabilities related to CPU-based exploits.


Close