Type of Publication: Article in Collected Edition

Bento: Fine-Grained Memory Isolation for COTS WebAssembly Binaries

Author(s):

Draissi, Oussama; Davi, Lucas

Title of Anthology:

Proceedings of the ACM Web Conference 2026 (WWW '26)

Location(s):

Dubai, United Arab Emirates

Publication Date:

2026

Citation:

Download BibTeX

Abstract

WebAssembly (Wasm) enables execution of memory-unsafe languages like C/C++ in

the browser, but its monolithic linear memory leaves modules vulnerable to

high-impact attacks such as Cross-Site Scripting. Existing defenses are

unsuitable for Commercial-off-the-shelf (COTS) binaries, requiring source code,

non-standard runtimes, or introduce high-overhead instrumentation.

We present Bento, the first static binary rewriter that automatically hardens

COTS Wasm modules. Bento uses whole-program pointer analysis to partition

memory into logical regions (stack, heap, globals) and rewrites the binary to

map each to an isolated instance using the standard Wasm multi-memory feature.

This creates a software-based MMU that provides architectural hardening without

adding instructions or runtime checks.

Our evaluation shows Bento mitigates real-world exploits in prominent

applications, including Libpng and PDFAlto, while preserving semantics, as

confirmed by extensive differential testing. This architectural approach adds

no new instructions, achieving zero computational overhead. This results in

negligible performance costs: a 3% runtime slowdown and a 1% startup

overhead.