tools for WebAssembly

[monperrus]

we collect open-source tools here

[monperrus]

WABT: WebAssembly Binary Toolkit https://github.com/WebAssembly/wabt

[monperrus]

Octopus: Security Analysis tool for WebAssembly module https://github.com/quoscient/octopus

[Jacarte]

WASABI: First tool for dynamic analysis of webassembly modules, implemented in RUST

[jianguda]

Wasmer: a standalone WebAssembly runtime, for running WebAssembly outside of the Browser https://github.com/wasmerio/wasmer

[monperrus]

A small and efficient runtime for WebAssembly & WAS https://wasmtime.dev/

https://github.com/bytecodealliance/wasmtime

[satabin]

A small and efficient runtime for WebAssembly & WAS https://wasmtime.dev/

On that topic, I also intend to add a WASI implementation to Swam, might be relevant for you as it also include security by capabilities.

[Jacarte]

https://github.com/xtuc/webassemblyjs

[Jacarte]

Hi @shrin18 WDYT? https://github.com/jcbeyler/wasm-to-llvm-prototype

[monperrus]

for fun: Vim editor ported to WebAssembly https://github.com/rhysd/vim.wasm

[monperrus]

TeaVM is an ahead-of-time compiler for Java bytecode that emits JavaScript and WebAssembly http://teavm.org/

[monperrus]

Similar to TeaVM Java to WebAssembly compiler https://github.com/i-net-software/JWebAssembly

[jianguda]

Lucet (the Sandboxing WebAssembly Compiler) Lucet is a native WebAssembly compiler and runtime. It is designed to safely execute untrusted WebAssembly programs inside your application. https://github.com/bytecodealliance/lucet

[shrin18]

a) Web Assembly Studio: https://webassembly.studio/

b) WASM Explorer - Side by side comparison of WASM, LLVM with Firefox x86 programs https://github.com/mbebenita/WasmExplorer

[Jacarte]

binaryen.js

[orestisfl]

WebAssembly to C decompiler https://github.com/wwwg/wasmdec https://wwwg.github.io/web-wasmdec/

[monperrus]

Cool. To what extent is C the easiest target language for disassembling WASM?

[monperrus]

SideFuzz is an adaptive fuzzer that uses a genetic-algorithim optimizer in combination with t-statistics to find side-channel (timing) vulnerabilities in cryptography compiled to wasm. https://github.com/phayes/sidefuzz

[Jacarte]

Cheerp: a C/C++ compiler for Web applications

[monperrus]

Walrus is a WebAssembly transformation library https://github.com/rustwasm/walrus

[monperrus]

GraalWasm a WebAssembly engine in GraalVM https://github.com/oracle/graal/tree/master/wasm

[monperrus]

Gate: a WebAssembly runtime which can migrate live programs across CPU architectures https://savo.la/introduction-to-gate.html

[Jacarte]

ilwasm Maps a subset of .NET CIL to WebAssembly S-expressions. Implemented as a custom code generator backend for the JSIL CIL -> JS compiler.

[shrin18]

WASM Binary file parser from Mozilla: https://github.com/bytecodealliance/wasmparser

[jianguda]

twiggy

Twiggy is a code size profiler for Wasm. It analyzes a binary's call graph to answer questions like:

• Why was this function included in the binary in the first place? Who calls it?
• What is the retained size of this function? I.e. how much space would be saved if I removed it and all the functions that become dead code after its removal.

[Jacarte]

https://github.com/wasienv/wasienv

[monperrus]

Running LibFuzzer in a Browser, via WASM https://github.com/jonathanmetzman/wasm-fuzzing-demo/blob/master/meetup-Fuzzing-Native-Applications-in-Browsers-With-WASM.pdf

[monperrus]

Fuzzing JavaScript WebAssembly APIs with Dharma/Domato (Chrome/v8) https://webassembly-security.com/fuzzing-wasm-javascript-dharma-chrome-v8/

[monperrus]

inNative WebAssembly Runtime: inNative is an AOT (ahead-of-time) compiler for WebAssembly that creates C compatible binaries, either as sandboxed plugins you can dynamically load, or as stand-alone executables that interface directly with the operating system https://innative.dev/

[monperrus]

wasm3/wasm3: 🚀 The fastest WebAssembly interpreter https://github.com/wasm3/wasm3

[Jacarte]

https://v8.dev/blog/emscripten-standalone-wasm

[orestisfl]

Symbolically Executing WebAssembly in Manticore

https://blog.trailofbits.com/2020/01/31/symbolically-executing-webassembly-in-manticore/

[monperrus]

https://github.com/m4riuz/wasm-collector Collects all WebAssembly modules from a given website

[Jacarte]

A library able to create, read, modify, write and execute WebAssembly (WASM) files from .NET-based applications. Execution does not use an interpreter. WASM instructions are mapped to their .NET equivalents and converted to native machine language by the .NET JIT compiler.

https://github.com/RyanLamansky/dotnet-webassembly

[Jacarte]

UNIX IN YOUR BROWSER TAB Run C, C++, Go and Node.js programs as processes in browsers, including LaTeX, GNU Make, Go HTTP servers, and POSIX shell scripts.

https://browsix.org/

[Jacarte]

https://github.com/cgvwzq/writeups/blob/master/how-to-wasm.md

[Jacarte]

WebAssembly Tool Conventions

This repository holds documents describing conventions useful for coordinating interoperability between wasm-related tools. This includes descriptions of intermediate file formats, conventions for mapping high-level language types, names, and abstraction features to WebAssembly types, identifiers, and implementations, and schemes for supporting debuggers or other tools.

These conventions are not part of the WebAssembly standard, and are not required of WebAssembly-consuming implementations to execute WebAssembly code. Tools producing and working with WebAssembly in other ways also need not follow any of these conventions. They exist only to support tools that wish to interoperate with other tools at a higher abstraction level than just WebAssembly itself.

These conventions are also not exclusive. There could be multiple conventions for a given language for a given purpose. There are natural benefits to interoperability, but there are many reasons where having more than one way to do things can also make sense in many circumstances.

[monperrus]

Octopus: Security Analysis tool for WebAssembly module (wasm) and Blockchain Smart Contracts (BTC/ETH/NEO/EOS) https://github.com/pventuzelo/octopus

[Jacarte]

Instruments wasm files and traces execution, using Binaryen.js and Wasmer.js

https://github.com/wasm3/wasm-trace

[monperrus]

WebAssembly Virtual Machine: WAVM uses LLVM to compile WebAssembly code to machine code with close to native performance. https://github.com/WAVM/WAVM/

[monperrus]

the tigress c obfuscator now targets webassembly https://tigress.wtf/

[satabin]

Instruments wasm files and traces execution, using Binaryen.js and Wasmer.js

https://github.com/wasm3/wasm-trace

I rely like this one, I think it would be easy to adapt our tracer to produce the same kind of output.

[monperrus]

But you can use <WASMER> in a lot of other languages. After having announced libraries to use Wasmer, and thus WebAssembly, in:

• PHP with the ext/wasm extension,
• Python with the wasmer library,
• Ruby with the wasmer library,
• Go with the wasmer library (see Announcing the fastest WebAssembly runtime for Go: wasmer), and even
• Postgres with the wasmer library (see Announcing the first Postgres extension to run WebAssembly),
• and many other contributions in .NET/C#, R and Elixir…
• …we are jazzed to announce that Wasmer has now landed in Java!

https://medium.com/wasmer/announcing-the-first-java-library-to-run-webassembly-wasmer-jni-89e319d2ac7c

[monperrus]

Enarx is an application deployment system enabling applications to run within Trusted Execution Environments (TEEs) without rewriting for particular platforms or SDKs. It handles attestation and delivery into a run-time “Keep” based on WebAssembly [...] Work is currently underway on AMD SEV and Intel SGX.

https://github.com/enarx/enarx

[monperrus]

Proprietary software: Jeb decompiler for WebAssembly

[monperrus]

Blazor: run C# and .NET in WebAssembly https://dotnet.microsoft.com/apps/aspnet/web-apps/blazor

[Jacarte]

Benchmarks study on WASM (quite exhaustive), https://medium.com/@torch2424/webassembly-is-fast-a-real-world-benchmark-of-webassembly-vs-es6-d85a23f8e193

[orestisfl]

(wasmer) WebAssembly Runtime for python

https://github.com/wasmerio/wasmer-python

[monperrus]

Webassembly Plugins for the Envoy proxy https://www.solo.io/blog/the-state-of-webassembly-in-envoy-proxy/

(We could write a diversifying proxy by putting Crow there)

[orestisfl]

wasm-smith: A WebAssembly test case generator

https://github.com/fitzgen/wasm-smith

[monperrus]

WasmView: Visual Testing for WebAssembly Applications https://www.acsu.buffalo.edu/~alanroma/WasmView_Visual_Testing_for_WebAssembly_Applications.pdf