In brief, this exploit focusses on the WebAssembly Interpreter. Through inspection of the code they realised that if the stack size exceeded
0xffffffff, it would overflow to zero, allowing them to escape from their allocated stack. Whilst a stack depth of
0xffffffff seems improbable, they found a creative way to achieve this.
Overflowing of integers is a tricky issue to address, sadly Rust doesn’t have a solid solution to this problem either.
Mastershot is a web-based video editor, based on the WebAssembly version of FFmpeg which I wrote about a few months ago. By running the entire application client-side, Mastershot is able to provide a secure, fast and simple service. I’m sure we’ll see more WebAssembly-based browser applications in the future.
Talking of using WebAssembly as a host, this blog post explores gives a practical introduction to incoporating WebAssembly so that it can host plugins.
Kallker is a feature-rich scientific calculator that runs in the browser. It’s written in Rust, with the sourcecode all available on GitHub.