WaSCR: A WebAssembly Instruction-Timing Side Channel Repairer

WebAssembly (Wasm) is a platform-independent, low-level binary language that enables near-native performance in web applications. Given its growing importance in the web ecosystem, securing We-bAssembly programs becomes increasingly important. A key security concern with WebAssembly is the threat of instruction-timing side-channel attacks, which exploit timing variations in branch instructions dependent on sensitive data, allowing attackers to infer sensitive information through timing measurement. In this paper, we introduce WaSCR, an automated WebAssembly instruction-timing Side-Channel Repairer. WaSCR uses control and data dependencies to trace the flow of sensitive data and prevent its leakage. It employs rule-based code transformations to linearize the program, eliminating branches dependent on sensitive data and substituting them with constant-time selectors. Our evaluation demonstrates that WaSCR effectively eliminates instruction-timing side channels while maintaining program correctness, with efficient repairs and moderate performance overhead. CCS Concepts • Security and privacy → Side-channel analysis and countermeasures; Software security engineering.