Introducing CT-Wasm, a type-driven extension to WebAssembly for secure, in-browser cryptography

3 min read

Researchers from the University of California and the University of Cambridge have come up with Constant-Time WebAssembly (CT-Wasm), the details of which are shared in their paper: CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem in December. It is a type-driven, strict extension to WebAssembly, which aims to address the state of cryptography in the web ecosystem.

CT-Wasm provides developers a principled direction for improving the quality and auditability of web platform cryptography libraries while also maintaining the convenience that has made JavaScript successful.

Why CT-Wasm is introduced?

A lot of work has been done towards the implementation of client and server-side cryptography in JavaScript. But, there are still some widespread concerns related to security in JavaScript, which CT-WASM tries to solve:

Side channels: While implementing a cryptography algorithm, the functional correctness is not the only concern. It is also important to ensure the properties of information flow that take into account the existence of side channels. For instance, an attacker can use the duration of the computation as a side channel. They can compare different executions to find out which program paths were used and work backward to determine information about secret keys and messages.

Additionally, modern JavaScript runtimes are extremely complex software systems, that include just-in-time (JIT) compilation and garbage collection (GC) techniques that can inherently expose timing side-channels.

In-browser cryptography: Another concern is, in-browser cryptography, which refers to the implementation of cryptographic algorithms using JavaScript in a user’s browser.

Unskilled cryptographers: Most of the JavaScript cryptography is implemented by unskilled cryptographers who do not generally care about the most basic timing side channels.

How it solves the concerns in JavaScript cryptography?

Recently, all browsers have added support for WebAssembly (WASM), a bytecode language. As Wasm is a low-level bytecode language, it already provides a firmer foundation for cryptography than JavaScript:

  • Wasm’s “close-to-the-metal” instructions provide more confidence in its timing characteristics than JavaScript’s unpredictable optimizations.
  • It has a strong, static type system, and principled designed.
  • It uses a formal small-step semantics and a well-typed Wasm program enjoys standard progress and preservation properties.

CT-Wasm extends Wasm to become a verifiably secure cryptographic language by augmenting its type system and semantics with cryptographically meaningful types to produce Constant-Time WebAssembly (CT-Wasm). It combines the convenience of in-browser JavaScript crypto with the security of a low-level, formally specified language.

Using CT-Wasm, developers can distinguish between secret data such as keys and messages and public data. After distinguishing the secret data, they can impose secure information flow and constant-time programming disciplines on code that handles secret data and ensure that well-typed CT-Wasm code cannot leak such data. CT-Wasm allows developers to incorporate third-party cryptographic libraries as they do with JavaScript and ensures that these libraries do not leak any secret information by construction.

For more details, read the paper: CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem.

Read Next

The elements of WebAssembly – Wat and Wasm, explained [Tutorial]

Now you can run nginx on Wasmjit on all POSIX systems

Introducing Wasmjit: A kernel mode WebAssembly runtime for Linux