Google Earth, Zoom, Twitch.tv, or Photoshop – thanks to the WebAssembly standard, many powerful applications now run directly in the browser without installation. However, some of these web apps have serious security vulnerabilities. Researchers from paluno – The Ruhr Institute for Software Technology at the University of Duisburg-Essen have developed a solution to secure COTS applications by automatically reorganizing their memory.
Since 2019, WebAssembly (Wasm for short) has been a stable web standard designed to make complex desktop applications run in the browser. To make this possible, the original program code – often written in C or C++ – is compiled into the Wasm binary format, which is supported by all major browsers. There is a catch, however: if the code contains vulnerabilities, these are also transferred into the Wasm module during compilation. In C/C++, these are typically memory access errors such as buffer overflows. Hackers can exploit such vulnerabilities for so-called cross-site scripting (XSS) attacks, injecting malicious code that users then unknowingly execute in their browsers.
Existing approaches to securing Wasm modules are hardly practical: many require access to the application's source code, while others need special hardware or customized browser environments. The new solution developed by paluno researchers Oussama Draissi and Prof. Lucas Davi takes a different approach. They use Wasm's multi-memory feature to perform a one-time, fully automated memory reorganization of existing modules. The restructuring is reminiscent of a Japanese bento box, in which different foods are neatly separated into individual compartments. The advantage: isolating memory areas prevents, for example, HTML tags in one memory area from being overwritten by a buffer overflow in another. For users, the restructuring of the modules comes with no noticeable drawbacks. They will notice neither longer loading times nor a significantly larger memory footprint.
The researchers tested the effectiveness of the bento approach using known security vulnerabilities, including the infamous Heartbleed Bug. "In extensive tests, we were able to demonstrate that our solution would have successfully defended against real-world attacks on widely used applications," explains Oussama Draissi.
The work will be presented at the renowned “The ACM Web Conference” in Dubai at the end of June 2026.
Publication: https://doi.org/10.1145/3774904.3792439
Further informationen: Prof. Dr. Lucas Davi, Universität Duisburg-Essen, paluno – The Ruhr Institute for Software Technology, lucas.davi@uni-due.de
Editor: Birgit Kremer, paluno, birgit.kremer@paluno.uni-due.de