Skip to content

A Generic and Efficient Code Property Graph Infrastructure forScanning Vulnerabilities in WebAssembly Code

License

Notifications You must be signed in to change notification settings

darkmacheken/wasmati

Repository files navigation

Article: Wasmati: An efficient static vulnerability scanner for WebAssembly

Wasmati

This project aims to parse WAT and WASM files and get an AST, CFG and PDG.

Building using CMake directly (Linux and macOS)

You'll need CMake. You can then run CMake, the normal way:

$ mkdir build
$ cd build
$ cmake ..
$ cmake --build .

This will produce build files using CMake's default build generator. Read the CMake documentation for more information.

NOTE: You must create a separate directory for the build artifacts (e.g. build above).

Building using the top-level Makefile (Linux and macOS)

NOTE: Under the hood, this uses make to run CMake, which then calls make again. On some systems (typically macOS), this doesn't build properly. If you see these errors, you can build using CMake directly as described above.

You'll need CMake. If you just run make, it will run CMake for you, and put the result in out/clang/Debug/ by default:

Note: If you are on macOS, you will need to use CMake version 3.2 or higher

$ make

This will build the default version of the tools: a debug build using the Clang compiler.

There are many make targets available for other configurations as well. They are generated from every combination of a compiler, build type and configuration.

  • compilers: gcc, clang, gcc-i686, gcc-fuzz
  • build types: debug, release
  • configurations: empty, asan, msan, lsan, ubsan, no-tests

They are combined with dashes, for example:

$ make clang-debug
$ make gcc-i686-release
$ make clang-debug-lsan
$ make gcc-debug-no-tests

Building (Windows)

You'll need CMake. You'll also need Visual Studio (2015 or newer) or MinGW.

Note: Visual Studio 2017 and later come with CMake (and the Ninja build system) out of the box, and should be on your PATH if you open a Developer Command prompt. See https://aka.ms/cmake for more details.

You can run CMake from the command prompt, or use the CMake GUI tool. See Running CMake for more information.

When running from the commandline, create a new directory for the build artifacts, then run cmake from this directory:

> cd [build dir]
> cmake [wabt project root] -DCMAKE_BUILD_TYPE=[config] -DCMAKE_INSTALL_PREFIX=[install directory] -G [generator]

The [config] parameter should be a CMake build type, typically DEBUG or RELEASE.

The [generator] parameter should be the type of project you want to generate, for example "Visual Studio 14 2015". You can see the list of available generators by running cmake --help.

To build the project, you can use Visual Studio, or you can tell CMake to do it:

> cmake --build [wabt project root] --config [config] --target install

This will build and install to the installation directory you provided above.

So, for example, if you want to build the debug configuration on Visual Studio 2015:

> mkdir build
> cd build
> cmake .. -DCMAKE_BUILD_TYPE=DEBUG -DCMAKE_INSTALL_PREFIX=..\ -G "Visual Studio 14 2015"
> cmake --build . --config DEBUG --target install

Building using Docker

Wasmati can be build and run in a docker compiler. For this you will need to have Docker installed.

The first thing to do is to build the container using the Dockerfile. In the root of the project just run:

$ docker build -t wasmati .

This will create a docker image with a tag wasmati. After build is completed you can run the tool using the command:

$ docker run -t wasmati [arguments]

You can also mount shared folders with the host by using the option -v and use as input files thar are in the host. For instance, the file example example.wasm is in the host with the path <host_directory>/example.wasm

$ docker run -v <host_directory>:/work -t wasmati /work/example.wasm -d /work/example.csv

About

A Generic and Efficient Code Property Graph Infrastructure forScanning Vulnerabilities in WebAssembly Code

Resources

License

Stars

Watchers

Forks

Packages

No packages published