Wasist - WebAssembly Shadow Stack Inspection and Summary Tool

Dataset Description

Context and Methodology

This dataset was created in the context of the bachelor’s thesis Wasist: WebAssembly Shadow Stack Inspection and Summary Tool at TU Wien. The work is situated in the area of abstract interpretation, static program analysis and WebAssembly security.

The dataset documents and supports the implementation and evaluation of Wasist, a static analyser for WebAssembly 1.0. Wasist performs abstract interpretation on Wasm modules to map a set of possible addresses to each memory instruction and to give a best-effor shadow-stack layout reconstruction.

The purpose of the dataset is to enable reproduction of the thesis results, inspection of the evaluation scripts and reuse of the Wasist analyser for related research or work on WebAssembly memory analysis and shadow-stack reconstruction.

Technical Details

The dataset is structured into four parts:

• base-analyser.zip: the main Wasist analyser implementation
• instrumented-analyser.zip: an instrumented variant of the analyser used for a targeted experiment in the thesis
• dataset.tar.gz: the corpus of WebAssembly binaries used for the evaluation in the thesis
• evaluation-scripts.zip: scripts and notebooks for summarising results created by Wasist and generating tables or plots, used for the evaluation in the thesis

To use the analyser, a modern installation of Rust is required. Instructions on the usage of the analyser can be found in the corresponding README.
The evaluation scripts where built for Python 3.14. Instructions can also be found in the corresponding README.

Further Details

The analyser focuses on WebAssembly 1.0 (MVP) binaries and does not generally support newer Wasm features such as SIMD, threading, reference types, or multiple memories. Its analysis is based on conservative assumptions about shadow-stack behaviour, including a fixed shadow-stack location and size and a well-behaved stack pointer. These assumptions are important when interpreting results or reusing the analyser on other datasets. Reusers should therefore consult the thesis and repository documentation before drawing conclusions from the generated analysis output.

The thesis, as well as versioned source code, can also be found on GitHub, see https://github.com/nilsgoebl/wasist-thesis.

License

This record contains original thesis code and third-party collected WebAssembly binaries.

Original code in this record, so the code of the analysers as well as the evaluation scripts, is licensed under the MIT license.

Some WebAssembly binaries were obtained from the WasmBench dataset (https://github.com/sola-st/WasmBench), and some were obtained from the NodeWasmStudy dataset (https://github.com/michelledaviest/NodeWasmStudy). Their MIT and Apache license only apply to their source codes used for collecting the dataset, which wasn't used in this thesis. For the individual WebAssembly files, they provide per-binary metadata, which includes the source, and sometimes, license information. All binaries were obtained from publicly available sources, like Github or by crawling websites. The collected sources and licenses of these WebAssembly files can be found in the LICENSE file. No single uniform license is asserted for all included .wasm files.

The uploader does not relicense third-party binaries.