"Since compiled code is immutable and not observable at runtime, WebAssembly programs are protected from control flow hijacking attacks"

[andersson09]

Hey I asked this question earlier in response #25927 but decided to separate it since original question was marked as answered.

The statement in the title is from webassembly.org and confuses me. Could someone explain it to me in a bit more in depth. In original thread, it is said that it is possible that the user can read variables. But can they also alter variables at runtime and change execution plan which would impose a security risk?

Also, are there any ways of storing data into secure memory in blazor which is hidden from the user. I've looked at subtlecrypto and it implies cryptokeys are hidden even when stored in indexeddb. But what is the point of this feature if the data you are encrypting is already in memory and can be read, or is the purpose of subtlecrypto nothing to do with user and more for encrypting data and hiding it from the server?

Thank you!

[blowdart]

There are no ways of storing data in memory that are hidden from a user that you can use in WASM (or indeed .net on the desktop, or java, or c++). Anyone with the right software can look at processes they own, and the contents of those processes.

The way that's usually mitigated is not allowing the users to install such software, usually by removing their admin rights.

Of course you can't rely on that, and you can't check it either. Any permissions checks should be duplicated server side, and that also applies your old desktop apps.

You'll see the warning on the subtlecrypto home page,

"Even assuming you use the basic cryptographic functions correctly, secure key management and overall security system design are extremely hard to get right, and are generally the domain of specialist security experts."

As for what's the point of WebCrypto in general? I guess it depends on your app, and your threat model. It's probably not about protecting things in memory on an insecure client.

[andersson09]

Thanks for this. And regarding the control flow protection. Does this mean even though a user can read a variable it is still impossible for them to alter it, or any code at runtime?

[blowdart]

I don't know enough about WASM to really comment, but can they effect it from the browser console? probably not.
Could they exploit something like a debugger? Yes.

[SteveSandersonMS]

Does this mean even though a user can read a variable it is still impossible for them to alter it, or any code at runtime?

You should assume that users can both read and write anything that's in the WebAssembly memory space.