WasDom: An Efficient Write Protection for Wasm JITed Code With ARM Domain

WebAssembly (Wasm) is a binary instruction format designed to run web applications efficiently and securely across different browsers, including Chrome’s V8, Firefox’s SpiderMonkey, and Safari’s JavaScriptCore. While Wasm’s Just-In-Time (JIT) compilation offers significant performance benefits by converting wasm code into machine code (JITed code), it introduces security vulnerabilities by violating the W^X (Write XOR Execute) policy. Conventional methodologies, such as Intel MPK for safeguarding JITed code, are constrained to specific hardware and are ineffectual in mobile environments. Consequently, there is a necessity for the development of a ARM-compatible solution. This paper proposes WasDom, an efficacious write protection mechanism for wasm JITed code on ARM architecture. Leveraging ARM’s domain-based memory management, WasDom employs a randomized domain allocation strategy to permit multiple cores to access JITed code securely. The prototype of WasDom was implemented in the V8 runtime and demonstrated a minimal performance overhead of less than 11% while providing strong write protection. The system manages memory permissions dynamically through the Domain Access Control Register (DACR), ensuring that memory regions are writable during JIT compilation and executable during runtime, thus enforcing a strong W^X policy.