Constant-Time WebAssembly

As evermore applications are designed to run inside browsers and other JavaScript runtime systems, there is an increasing need for cryptographic primitives that can be used client-side. Unfortunately, implementing cryptographic primitives securely in high-level languages is extremely difficult—runtime system components such as garbage collectors and just-intime compilers can trivially introduce timing leaks in seemingly secure code. We argue that runtime system designs should be rethought with such applications—applications that demand strong guarantees for the executed code—in mind. As a concrete step towards this goal, we propose changes to the recent WebAssembly language and runtime system, supported by modern browsers. Our Constant-Time WebAssembly enables developers to implement crypto algorithms whose security guarantees will be preserved through compiler optimizations and execution in the browser.