June 5, 2026

New WebAssembly memory layout could stop Heartbleed-style browser attacks with no visible slowdown

by University of Duisburg-Essen

edited by Lisa Lock, reviewed by Alexander Pol

Editors' notes
The GIST
Add as preferred source
code
Credit: Pixabay/CC0 Public Domain

Google Earth, Zoom, Twitch.tv or Photoshop—thanks to the WebAssembly standard, many powerful applications now run directly in a browser without installation. However, some of these web apps have serious security vulnerabilities. Researchers from paluno—The Ruhr Institute for Software Technology at the University of Duisburg-Essen—have developed a solution to secure COTS applications by automatically reorganizing their memory.

Since 2019, WebAssembly (Wasm for short) has been a stable web standard designed to make complex desktop applications run in the browser. To make this possible, the original program code—often written in C or C++—is compiled into the Wasm binary format, which is supported by all major browsers.

There is a catch, however: If the code contains vulnerabilities, these are also transferred into the Wasm module during compilation. In C/C++, these are typically memory access errors such as buffer overflows. Hackers can exploit such vulnerabilities for so-called cross-site scripting attacks, injecting malicious code that users then unknowingly execute in their browsers.

Existing approaches to securing Wasm modules are hardly practical. Many require access to the application's source code, while others need special hardware or customized browser environments. The new solution developed by paluno researchers Oussama Draissi and Prof. Lucas Davi takes a different approach. They use Wasm's multi-memory feature to perform a one-time, fully automated memory reorganization of existing modules.

The restructuring is reminiscent of a Japanese bento box, in which different foods are neatly separated into individual compartments. The advantage: Isolating memory areas prevents, for example, HTML tags in one memory area from being overwritten by a buffer overflow in another.

For users, the restructuring of the modules comes with no noticeable drawbacks. They will notice neither longer loading times nor a significantly larger memory footprint.

The researchers tested the effectiveness of the bento approach using known security vulnerabilities, including the infamous Heartbleed bug.

"In extensive tests, we were able to demonstrate that our solution would have successfully defended against real-world attacks on widely used applications," explains Oussama Draissi.

The work will be presented at the ACM Web Conference in Dubai in late June 2026.

More information

Oussama Draissi et al, Bento: Fine-Grained Memory Isolation for COTS WebAssembly Binaries, Proceedings of the ACM Web Conference 2026 (2026). DOI: 10.1145/3774904.3792439

Key concepts
Post-quantum cryptography
Provided by University of Duisburg-Essen
Who's behind this story?
Lisa Lock
Lisa Lock

BA art history, MA material culture. Former museum editor, paramedic, and transplant coordinator. Editing for Science X since 2021. Full profile →

Alexander Pol
Alexander Pol

PhD nano-engineering from Delft University. Published researcher and journal reviewer. Brings scientific insight to content standards. Full profile →

Citation: New WebAssembly memory layout could stop Heartbleed-style browser attacks with no visible slowdown (2026, June 5) retrieved 6 June 2026 from https://techxplore.com/news/2026-06-webassembly-memory-layout-heartbleed-style.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

A new method to protect WebAssembly against Spectre attacks
4 shares

Feedback to editors
Load comments (0)