Lost in the Pages: WebAssembly Code Recovery through SEV-SNP's Exposed Address Space

WebAssembly (Wasm) has risen as a widely used technology to distribute computing workloads on different platforms. The platform independence offered through Wasm makes it an attractive solution for many different applications that can run on disparate infrastructures. In addition, Trusted Execution Environments (TEEs) are offered in many computing infrastructures, which allows also running security sensitive Wasm workloads independent of the specific platforms offered. However, recent work has shown that Wasm binaries are more sensitive to code confidentiality attacks than native binaries. The previous result was obtained for Intel SGX only. In this paper, we take this one step further, introducing a new Wasm code-confidentiality attack that exploits exposed address-space information in TEEs. Our attack enables the extraction of crucial execution features which, when combined with additional side channels, allows us to with high reliability obtain more than 70% of the code in most cases. This is a considerably larger amount than was previously obtained by single stepping Intel SGX where only upwards to 50% of the code could be obtained.