Abstract

WebAssembly (Wasm) is an increasingly popular compilation target, offering compact representation, efficient validation and compilation, and safe low to no-overhead execution. Wasm is popular not only on the browsers but finding adoption across various platforms. As its popularity grows for various applications, so does the need to obfuscate it, subsequently raising the necessity to de-obfuscate. In this talk we will discuss how to de-obfuscate Wasm code using LLVM compiler infrastructure.

There is extensive literature available on the security of Wasm from an exploitation perspective, i.e. finding vulnerabilities, writing exploits and secure coding practices. In this work, we will discuss Wasm security from a reverse engineering perspective, specifically how to deal with obfuscate and de-obfuscate Wasm. Broadly we will be covering the following topics in this presentation:

• Essential Wasm internals from reverse-engineering perspective.
• Brief introduction to obfuscation techniques.
• How to perform compiler-based obfuscation of Wasm code using various open-source tooling.
• The core idea - how to de-obfuscate Wasm code using LLVM compiler infrastructure.

LLVM implements extensive code optimisation techniques that can be harnessed to simplify diverse obfuscation techniques. We will use this very idea in our de-obfuscation journey, commencing with simple obfuscation scenarios and progressively ratcheting up the complexity level to demonstrate the effectiveness of our approach. We will also show application of our learnings to some real world scenarios.

The final takeaway for the audience will be an understanding of how to obfuscate and de-obfuscate Wasm code. Moreover, they will gain confidence to tackle obfuscated code without writing pattern-based simplification rules. The ideas and techniques discussed are not limited to Wasm, in fact they are language and platform agnostic, and can be applied to any obfuscated code.