WASM in the Kernel: evolving threat detection at runtime

No eBPF on Windows? We at Mimic run WASM in the kernel instead! See how we deploy live security patches, extend OS telemetry capabilities, and inject custom logic, all in relative safely and without a single reboot.

When evaluating how to safely extend and observe potential threats to the kernel in the absence of a mature eBPF implementation for Windows, our team at Mimic decided to experiment using the WebAssembly Component Model for running threat detection logic with promising results.

This talk will dissect the major benefits and challenges of distributing, testing, and running threat detection logic as WASM components in Windows kernel. We will discuss novel applications and current pain points in using the Component Model to bridge std and no_std contexts and share the patterns and workarounds we use to coordinate WASM module deployment in the name of cybersecurity.

Some of the practical challenges and accomplishments below will be covered in our talk: - interpreting embedded Wasm in the uncharted territory of the OS kernel - kernel specific challenges: no-std, panic handling, TLS (Thread Local Storage), and synchronization - designing a host environment to safely interact with the kernel using the Wasm Interface Type (WIT) - results of our experimentation with various runtimes/interpreters and how we arrived at Wasmtime/Pulley

This talk is grounded in hands-on experience integrating a proven product with WebAssembly, this makes us particularly qualified to deliver a talk that connects cybersecurity and WASM to show novel technical applications of the WebAssembly ecosystem

• The [Mimic] team and I (Mikhail) have made multiple contributions to the WebAssembly ecosystem to further our goals in threat detection. We have made contributions to WebAssembly tooling (topiary WIT formatter, wit-deps), runtime development (wasmtime), and component model specifications (component-docs), giving us a solid understanding of WebAssembly’s capabilities and performance characteristics as it concerns security security-sensitive domains.

• Our company (Mimic) already has a mature threat detection product deployed to customer environments on Windows and Linux. We understand the operational constraints, performance requirements, and deployment challenges of enterprise security software. Our talk will directly address how WebAssembly can integrate with and enhance existing security architectures: moving from concept to experimentation to practical implementation.

• Our talk presents novel applications of WebAssembly in the realm of cybersecurity. We will move beyond the well-known security benefits of WebAssembly to demonstrate how WASM can address the challenges of an active attack by a threat actor to a vulnerable system. Our talk will touch on deploying portable, safely-isolated threat detection logic across heterogeneous endpoints and creating high-performance and extensible filtering engines that protect against supply-chain attacks.