Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint.

WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.

The technology is a compact binary language that a browser will convert into machine code and run it directly on the CPU.

Browser makers created WebAssembly to improve the speed of delivery and performance of JavaScript code, but as a side effect, they also created a way for developers to port code from other high-level languages (such as C, C++, and others) into Wasm, and then run it inside a browser.

All in all, the WebAssembly standard is viewed as a success in the web dev community, and there've been praises for it all around.

WebAssembly is not immune to abuse

But like all technologies, it also came with some unforeseen side effects and cases of abuse. For starters, the rise of in-browser cryptocurrency miners (cryptojacking scripts) can be traced precisely to the addition of WebAssembly inside major browsers, as all in-browser miners run on top of WebAssembly, and not pure JavaScript.

Now, a Forcepoint researcher argues there could be another unintended side effect of WebAssembly for web users.

"Once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate [JavaScript] timers can be created," Bergbom says, "that may render browser mitigations of certain CPU side channel attacks non-working."

WebAssembly may bypass some browser mitigations

In this statement, Bergbom is more accurately referring to "timing attacks," which are a class of side-channel attacks.

Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms.

The recently disclosed Meltdown and Spectre CPU vulnerabilities, along with their many variations [1, 2, 3] are all timing attacks at their core.

They rely on the attacker's ability to measure precise time intervals, a parameter needed to perform the side-channel attack and recover enough information from the encrypted blob of data to determine the rest.

Browsers previously addressed this issue in January

Back when Meltdown and Spectre came to light in January, researchers published proof of concept code that an attacker could have used to exploit these CPU vulnerabilities remotely, via the Internet, using JavaScript code that runs in the browser.

This attack code utilized browsers' internal native functions for measuring time intervals, such as "SharedArrayBuffer" and "performance.now()."

Browsers like Firefox and Chrome reacted by releasing updates that watered down the precision of these timer functions, rendering Meltdown and Spectre attacks, and other timing side-channel attacks, inefficient.

But now, Bergbom says that once support for "threads" is added in WebAssembly, and this feature reaches modern browsers, those mitigations will be rendered useless, as an attacker has a new avenue for measuring precise time, via WebAssembly.

"Like with many new technologies there are potential security issues which need to be considered," Bergbom said. "Collectively, these present new opportunities for malicious actors. Much as with JavaScript, the possibilities with Wasm are – if not quite endless – very broad."

Preventing this from happening requires that browser vendors take the same approach once more by limiting WebAssembly's upcoming "threads" support to prevent attackers from crafting enough precise timers.

A member of the WebAssembly team has told Bleeping Computer that they are aware of this issue and have put this feature on hold, for the time being, albeit no consensus has been reached on what to do next.