[2603.24167] Walma: Learning to See Memory Corruption in WebAssembly

Computer Science > Cryptography and Security arXiv:2603.24167 (cs) [Submitted on 25 Mar 2026] Title:Walma: Learning to See Memory Corruption in WebAssembly Authors:Oussama Draissi, Mark Günzel, Ahmad-Reza Sadeghi, Lucas Davi View a PDF of the paper titled Walma: Learning to See Memory Corruption in WebAssembly, by Oussama Draissi and 3 other authors View PDF HTML (experimental) Abstract:WebAssembly's (Wasm) monolithic linear memory model facilitates memory corruption attacks that can escalate to cross-site scripting in browsers or go undetected when a malicious host tampers with a module's state. Existing defenses rely on invasive binary instrumentation or custom runtimes, and do not address runtime integrity verification under an adversarial host model. We present Walma, a framework for WebAssembly Linear Memory Attestation that leverages machine learning to detect memory corruption and external tampering by classifying memory snapshots. We evaluate Walma on six real-world CVE-affected applications across three verification backends (cpu-wasm, cpu-tch, gpu) and three instrumentation policies. Our results demonstrate that CNN-based classification can effectively detect memory corruption in applications with structured memory layouts, with coarse-grained boundary checks incurring as low as 1.07x overhead, while fine-grained monitoring introduces higher (1.5x--1.8x) but predictable costs. Our evaluation quantifies the accuracy and overhead trade-offs across deployment config...