WebAssembly (Wasm), as a compilation target for memory-unsafe languages, is vulnerable to information-flow leaks across module boundaries and memory integrity violations; existing static noninterference analyses lack formal guarantees and automation support. This paper proposes the first fully automated, provably secure, and purely static noninterference verification method for Wasm: a hyperproperty verification framework grounded in reachability analysis, integrating value-sensitive taint tracking and relational reasoning to precisely model and automatically verify security properties—including memory integrity. Our approach establishes the first formal, semantics-level definition of noninterference for Wasm and provides a sound, complete static decision procedure. Evaluated on synthetic and real-world benchmarks, it achieves high precision and competitive performance. The work thus delivers both a theoretical foundation and a practical tool for trustworthy Wasm execution.

WebAssembly (Wasm) is rapidly gaining popularity as a distribution format for software components embedded in various security-critical domains. Unfortunately, despite its prudent design, WebAssembly's primary use case as a compilation target for memory-unsafe languages leaves some possibilities for memory corruption. Independently of that, Wasm is an inherently interesting target for information flow analysis due to its interfacing role. Both the information flows between a Wasm module and its embedding context, as well as the memory integrity within a module, can be described by the hyperproperty noninterference. So far, no sound, fully static noninterference analysis for Wasm has been presented, but sound reachability analyses were. This work presents a novel and general approach to lift reachability analyses to noninterference by tracking taints on values and using value-sensitive, relational reasoning to remove them when appropriate. We implement this approach in Wanilla, the first automatic, sound, and fully static noninterference analysis for WebAssembly, and demonstrate its performance and precision by verifying memory integrity and other noninterference properties with several synthetic and real-world benchmarks.