{"id":20009776,"url":"https://github.com/plsyssec/veriwasm","last_synced_at":"2025-05-07T15:24:09.686Z","repository":{"id":49427659,"uuid":"287788234","full_name":"PLSysSec/veriwasm","owner":"PLSysSec","description":"SFI verifier of Wasm binaries","archived":false,"fork":false,"pushed_at":"2023-03-22T19:41:00.000Z","size":604,"stargazers_count":81,"open_issues_count":3,"forks_count":6,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-29T00:43:00.100Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PLSysSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-08-15T16:55:39.000Z","updated_at":"2025-01-30T22:10:45.000Z","dependencies_parsed_at":"2024-02-10T12:47:04.397Z","dependency_job_id":null,"html_url":"https://github.com/PLSysSec/veriwasm","commit_stats":{"total_commits":343,"total_committers":9,"mean_commits":"38.111111111111114","dds":"0.18075801749271136","last_synced_commit":"60a64d279ecb676549aab51838d52b41ec6d1360"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Fveriwasm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Fveriwasm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Fveriwasm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Fveriwasm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PLSysSec","download_url":"https://codeload.github.com/PLSysSec/veriwasm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252903610,"owners_count":21822476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T07:17:03.866Z","updated_at":"2025-05-07T15:24:09.660Z","avatar_url":"https://github.com/PLSysSec.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VeriWasm: SFI safety for native-compiled Wasm\n\nThis repository contains all the code and data necessary for building VeriWasm and reproducing the results presented in our NDSS'21 paper [Доверя́й, но проверя́й: SFI safety for native-compiled Wasm](http://cseweb.ucsd.edu/~dstefan/pubs/johnson:2021:veriwasm.pdf).  \n  \n## Abstract  \nWebAssembly (Wasm) is a platform-independent bytecode that offers both good performance and runtime isolation. To implement isolation, the compiler inserts safety checks when it compiles Wasm to native machine code. While this approach is cheap, it also requires trust in the compiler's correctness—trust that the compiler has inserted each necessary check, correctly formed, in each proper place. Unfortunately, subtle bugs in the Wasm compiler can break—and have broken—isolation guarantees. To address this problem, we propose verifying memory isolation of Wasm binaries post-compilation. We implement this approach in VeriWasm, a static offline verifier for native x86-64 binaries compiled from Wasm; we prove the verifier's soundness, and find that it can detect bugs with no false positives. Finally, we describe our deployment of VeriWasm at Fastly.\n\n## Build VeriWasm\n\nYou first need to install several dependencies:\n\n- git\n- Rust\n- nasm (to compile test cases)\n- gcc (to compile test cases)\n- python3 (for scripts)\n\nOnce you have these, you can build VeriWasm:\n\n```bash\ngit submodule update --init --recursive\ncargo build --release\n```\n\n## Run VeriWasm\n\nTo run VeriWasm on your own binaries, you just need to point it to the module you want to check:\n\n```bash\ncargo run --release -- -i \u003cinput path\u003e \n```\n\nUsage:  \n\n```\nVeriWasm 0.1.0\nValidates safety of native Wasm code\n\nUSAGE:\n    veriwasm [FLAGS] [OPTIONS] -i \u003cmodule path\u003e\n\nFLAGS:\n    -h, --help       Prints help information\n    -q, --quiet      \n    -V, --version    Prints version information\n\nOPTIONS:\n    -j, --jobs \u003cjobs\u003e                   Number of parallel threads (default 1)\n    -i \u003cmodule path\u003e                    path to native Wasm module to validate\n    -o, --output \u003cstats output path\u003e    Path to output stats file\n```\n\n## Reproducing evaluation results\n\nThis repo contains all the infrastructure necessary for reproducing the results described in the paper. Once you build VeriWasm you can run our tests and and performance benchmarks.\n\n### Running the evaluation suite\n\nTo verify all the binaries described in the paper, except the SPEC CPU 2006 binaries (they are proprietary) and the Fastly production binaries, run:\n\n```bash\ngit clone https://github.com/PLSysSec/veriwasm_public_data.git\ncd veriwasm_public_data \u0026\u0026 sh setup.sh \u0026\u0026 sh build_negative_tests.sh \u0026\u0026 cd ..\ncargo test --release\n```\n\nTo get get the performance statistics for the binaries, run:\n\n```bash\nmake compute_stats\npython3 graph_stats.py stats/*\n```\n\n### Fuzzing VeriWasm\n\nTo fuzz VeriWasm, you'll need to install `cmake` and then build the fuzzers (and the tooling they rely on):\n\n```bash\nmake build_fuzzers\n```\n\nThen, either run the  [Csmith](https://embed.cs.utah.edu/csmith/)-based fuzzer:\n\n```bash\ncd veriwasm_fuzzing\nmake csmith_fuzz\n```\n\nor the Wasm-based fuzzer:    \n\n```bash\ncd veriwasm_fuzzing\nmake wasm_fuzz\n```\n\nBy default, `make` will use four cores; you may want to change this.\n\n## Related repos\n\n- **Binaries used for evaluation**: The binaries we verified as part of our evaluation are [here](https://github.com/PLSysSec/veriwasm_public_data.git).\n\n- **Fuzzing scripts**: The scripts we used to fuzz VeriWasm are [here](https://github.com/PLSysSec/veriwasm_fuzzing).\n\n- **Mechanized proofs**: The proofs from our paper are [here](https://github.com/PLSysSec/veriwasm-verification).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplsyssec%2Fveriwasm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fplsyssec%2Fveriwasm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplsyssec%2Fveriwasm/lists"}