ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

WebAssembly standard

Open carllaw6885 opened this issue 5 years ago • 28 comments

Following the comment of a participant at NDC London, please consider a standard for WebAssembly

carllaw6885 avatar Jan 30 '20 11:01 carllaw6885

What would such a WebAssembly standard entail?

MarcinHoppe avatar Jan 30 '20 11:01 MarcinHoppe

Good question and I’m not going to pretend to know. I was in a talk with Jim Manico where some asked this question at the end and he asked for someone to raise an issue on here to answer it.

carllaw6885 avatar Jan 30 '20 11:01 carllaw6885

Thank you for this! We’ll address it somehow in the next version. We’re working on it next month so you’ll see activity then.

Thanks again!

On Jan 30, 2020, at 11:42 AM, carllaw6885 [email protected] wrote:

 Following the comment of a participant at NDC London, please consider a standard for WebAssembly

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

jmanico avatar Jan 30 '20 12:01 jmanico

Yea we’re doing a project summit in Cancun next month. We’ll discuss it and research it in detail then!

-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Jan 30, 2020, at 11:48 AM, carllaw6885 [email protected] wrote:

 Good question and I’m not going to pretend to know. I was in a talk with Jim Manico where some asked this question at the end and he asked for someone to raise an issue on here to answer it.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

jmanico avatar Jan 30 '20 12:01 jmanico

I have not made progress on this and am new to the technology. Anyone else have any ideas here?

jmanico avatar Mar 12 '21 21:03 jmanico

@jmanico A WebAssembly runtime’s security model is very particular. Some offensively oriented papers have been written on it, e.g. Everything Old is New Again: Binary Security of WebAssembly. ASVS may mostly focus on verification that when converting to or otherwise adding WebAssembly modules, this model is taken into account.

sanmai-NL avatar May 16 '21 14:05 sanmai-NL

Would you like to propose a few requirements for this section which we can add to the current version?

jmanico avatar May 17 '21 18:05 jmanico

@jmanico ASVS Level 2, V1.13 API Architectural Requirements

Verify that all applicable security models (e.g., WebAssembly, Same Origin Policy) have been explicitly accounted for, per (sub)system, in the architectural design, at least the interactions between domains that are governed by different models.

sanmai-NL avatar Jun 18 '21 08:06 sanmai-NL

We are going to close this issue for now. Please reopen it with some more specific recommendations if you are still interested in working on this.

danielcuthbert avatar Jul 20 '21 14:07 danielcuthbert

I think we need to keep this topic and see if we can find anyone else to provide some ideas, I don't think we can ignore it for 5.0 .

tghosth avatar Jun 22 '22 13:06 tghosth

This has not had activity recently and will need someone from the community to provide more specific recommendations in order to progress.

tghosth avatar Dec 07 '22 15:12 tghosth

@set-reminder 2 months Close if no further activity

tghosth avatar Dec 07 '22 15:12 tghosth

Reminder Tuesday, February 7, 2023 12:00 AM (GMT+01:00)

Close if no further activity

octo-reminder[bot] avatar Dec 07 '22 15:12 octo-reminder[bot]

https://thenewstack.io/6-security-risks-to-consider-with-webassembly/

tghosth avatar Dec 07 '22 16:12 tghosth

🔔 @tghosth

Close if no further activity

octo-reminder[bot] avatar Feb 06 '23 23:02 octo-reminder[bot]

hi @nielstanis any ideas on this? We are looking for straightforward security recommendations we can use for ASVS related to web assembly.

tghosth avatar May 23 '23 14:05 tghosth