HN
Today

All the Bugs They Found

A developer's personal WASM runtime, Epsilon, was probed by AI agents, unearthing over 20 vulnerabilities, including three fascinating sandbox escapes. This story intricately details how type mismatches and stack manipulation at the runtime level led to critical security flaws. It's popular for its deep technical dive into WASM internals and the surprising efficacy of AI in finding subtle, low-level exploits.

3
Score
0
Comments
#12
Highest Rank
9h
on Front Page
First Seen
May 21, 7:00 AM
Last Seen
May 21, 3:00 PM
Rank Over Time
171512131519192529

The Lowdown

Andrea Pivetta shares an intriguing experience where AI agents uncovered more than 20 security vulnerabilities in Epsilon, a WebAssembly (WASM) runtime written in Go. Epsilon, a pure instruction interpreter of about 11,000 lines of code, is designed to embed and sandbox untrusted WASM modules. Despite being extensively tested against the official WASM testsuite, AI agents managed to discover significant flaws, particularly sandbox escapes.

  • WASM Security Model: Epsilon relies on a pre-execution validator to ensure type safety, allowing the runtime to execute bytecode "blindly," assuming validation guarantees. Internally, funcref values are represented as int32, where -1 is null and 0 refers to the first function in the global store.
  • Exploit 1: Zero Is Not Null: This vulnerability arose from Go's clear() function initializing funcref locals to 0 instead of the WASM-specified null (-1). An attacker could then use call_indirect on an uninitialized funcref local, inadvertently calling the private function at store index 0.
  • Exploit 2: Phantom Block Parameter: This complex exploit combined two bugs: a stack height misalignment where the VM recorded stack height after block parameters were pushed (whereas the validator considered them consumed), and a memory resurrection bug during stack unwind that caused dropped values to reappear. These combined flaws allowed an int32 0 to be reinterpreted as a funcref for a private function.
  • Exploit 3: Ghost in the Stack: This exploit involved a host-provided function (env.leak) that declared a return type (funcref) but returned fewer results at runtime. The VM, blindly trusting the declared signature, left previous stack values (like an int32 0) to be interpreted as the promised funcref, again enabling calls to private functions.
  • Methodology: The author initially used a bash script deploying AI agents (Claude, Gemini, Vibe) and later switched to an agent "skill." Gemini 3.1 Pro was notably effective in finding more serious vulnerabilities.

The author was genuinely astonished by the depth and creativity of the vulnerabilities discovered by the AI agents, especially the intricate nature of the second exploit. They conclude by urging users to update to Epsilon version 0.1.0 to address these critical security patches.