Research Collection

WebAssembly
Security Research Papers

A curated collection of academic papers covering the intersection of WebAssembly and security - from memory safety, dataset generation and sandboxing to malware detection, formal verification and side-channel attacks.

Total Papers
With Code
Year Range
/
Topic
Year
Showing of papers

No papers match your search.


About This Project

WebAssembly
Security Research Hub

WasmSec is a curated reference database for academic research at the intersection of WebAssembly and computer security. Every paper listed here has been manually reviewed for relevance.

WebAssembly in the Wild

WebAssembly (Wasm) is no longer an experimental technology — it is a production runtime powering some of the world's most used applications. Its promise of near-native performance in a portable, sandboxed format has driven adoption across industries.

Some of the most prominent examples include:

Figma
Photoshop
AutoCAD
Google Earth
Zoom
Cloudflare
Fastly
Shopify
Unity
eBay
Docker
Wasmer

Adobe's Photoshop on the web leverages WebAssembly to run complex image processing algorithms. Figma's rendering engine is largely compiled to Wasm. AutoCAD's web edition ships millions of lines of C++ compiled to WebAssembly. Beyond the browser, WebAssembly is becoming the preferred sandbox format for serverless edge computing, IoT firmware, and plugin architectures.

Security Vulnerabilities & Risks

Despite its sandboxing guarantees, WebAssembly introduces a range of security concerns - both inherited from its source languages and intrinsic to its design:

  • Memory corruption: Wasm's linear memory model has no native memory safety for code compiled from C/C++. Buffer overflows, heap sprays, and use-after-free vulnerabilities persist and can be leveraged for control-flow hijacking.
  • Cryptojacking: Wasm's near-native execution speed makes it an attractive vehicle for in-browser cryptocurrency mining without user consent, often embedded in otherwise legitimate websites.
  • Malware obfuscation: Attackers exploit Wasm's binary format to hide malicious logic from traditional static analysis and antivirus engines, including obfuscating JavaScript malware by translating it to Wasm.
  • Side-channel attacks: WebAssembly provides high-resolution timing primitives and fine-grained memory control that enable Spectre-style microarchitectural attacks and cache timing attacks.
  • Runtime bugs: Wasm runtimes (V8, SpiderMonkey, Wasmtime, Wasmer) are complex C++ codebases with their own bugs that can crash applications or enable privilege escalation.
  • Smart contract vulnerabilities: EOSIO and other blockchain platforms use Wasm as the smart contract execution environment, inheriting the language's vulnerability surface in high-value financial contexts.
  • Absence of mitigations: Unlike native binaries, WebAssembly lacks stack canaries, ASLR, and other hardening features by default, making classic attacks easier to execute.
Our Goal

WasmSec aims to be the most comprehensive, well-organized reference for researchers, engineers, and security professionals working on or with WebAssembly. I collect, categorize, and annotate academic papers covering every dimension of Wasm security - whether you're studying attacks, defenses, formal proofs, or analysis tooling.

All papers in this database have been manually reviewed and selected based on direct relevance to WebAssembly security. It covers peer-reviewed conference and journal publications as well as high-quality preprints. Papers are tagged by topic to make it easy to explore specific sub-domains like fuzzing, information flow, sandboxing, or cryptojacking.

If you know of a paper missing, or would like to suggest a correction, please use the Suggest Paper form.

Disclaimer

Data & Attribution
Disclaimer

Please read this disclaimer carefully before relying on any information presented on this website.

!
Manual Data Entry

All paper entries on WasmSec were imported manually. While I strive for accuracy, typographical errors, missing details, or incorrect metadata may be present. I sincerely apologize for any such mistakes and are committed to correcting them as soon as they are reported.

!
Representation of Work

Paper descriptions, abstracts, and keyword tags are written or curated to be accurate summaries of the original work. However, I acknowledge that summarizing complex academic research inevitably involves some degree of simplification.

I sincerely apologize if I have misrepresented any paper or author's work in any way. This is never intentional. If you are an author and feel that your work has been incorrectly described, attributed, or categorized, please contact immediately through the Suggest / Edit form and I will promptly correct the entry.

!
Copyright & Links

WasmSec does not host any paper PDFs directly. All "Paper" links point to publicly available versions hosted by the respective publishers, authors, or archiving platforms such as arXiv, ACM DL, IEEE Xplore, USENIX, or the authors' own websites. I do not claim copyright over any linked materials.

External links may become unavailable over time as publishers update their systems. I am not responsible for the availability or content of external sites.

!
Completeness & Bias

This database does not claim to be exhaustive. Paper selection is based on the review and may reflect gaps in coverage, particularly for work published in venues outside the main security and programming language conferences. I actively welcome suggestions for papers I may have missed.

Found a mistake? Please be patient with errors. Use the to report any issues and will address them as quickly as possible. Thank you for helping us improve.

Contribute

Suggest a Paper
or Edit an Entry

Know a paper it is missing? Found an error in an existing entry? Fill out the form below. All submissions are reviewed before being added to the database.

docs.google.com / forms