Standing on the Shoulders of Giants: De-Obfuscating WebAssembly Using LLVM
Black Hat Asia 2025 · Day 2 · Briefings
In an increasingly web-centric world, WebAssembly (Wasm) has emerged as a critical technology, promising near-native performance for web applications. Its adoption by major platforms and industries, from Google Earth to blockchain, underscores its growing importance. However, this proliferation also raises significant security questions, particularly concerning the protection of intellectual property (IP) and the analysis of malicious code. This talk, presented by Vikas Gupta and Peter Gjølver from Talis, delves into the complex realm of WebAssembly obfuscation and, more importantly, its systematic de-obfuscation.
AI review
This talk presents a robust and highly effective methodology for de-obfuscating WebAssembly binaries by leveraging the LLVM compiler infrastructure. The speakers introduce Squanchy, an orchestration framework that cleverly lifts Wasm to C via `wasm2c`, then to LLVM IR, preserving critical runtime context. By integrating LLVM's powerful optimizations with specialized tools like Simba++ for Mixed Boolean-Arithmetic and Super for Control Flow Flattening, they demonstrate a systematic reversal of complex obfuscation. The work normalizes code for practical analysis in malware and commercial…