Detecting webassembly-based browser exploits

1 . A method comprising: installing a plurality of code hooks for a corresponding plurality of functions of an application programming interface (API) of a WebAssembly engine for a web browser; based on invocation of a first function of the plurality of functions, determining an address of memory allocated for a WebAssembly instance and recording first contents read from the memory, wherein the memory has read-write-execute permissions; based on invocation of a second function of the plurality of functions, reading second contents from the memory allocated to the WebAssembly instance; determining if the first contents and the second contents of the memory differ; and based on determining that the first contents and the second contents differ, determining that the web browser has been exploited. 2 . The method of claim 1 , wherein the first function is a function of the API for creating WebAssembly instances, wherein installing the plurality of code hooks comprises installing a first of the plurality of code hooks into the first function of the API. 3 . The method of claim 2 , wherein determining the address of memory comprises determining the address of memory based on a return value of the first function. 4 . The method of claim 1 , wherein the second function is a function of the API invoked based on calling exported functions of WebAssembly instances, wherein installing the plurality of code hooks comprises installing a second of the plurality of code hooks into the second function of the API. 5 . The method of claim 1 , wherein installing the plurality of code hooks comprises installing a third of the plurality of code hooks into a third function of the API, wherein the third function is a function of the API for permissibly modifying contents of the memory. 6 . The method of claim 5 further comprising, based on invocation of the third function, reading third contents from the memory and updating the first contents recorded for the memory based on the third contents. 7 . The method of claim 1 , wherein recording the first contents read from memory comprises storing an association between the address of the memory and the first contents in a data structure. 8 . The method of claim 1 , further comprising injecting into a process associated with the web browser, wherein installing the plurality of code hooks is based on injecting into the process. 9 . One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to: hook into a plurality of target functions of an application programming interface (API) of a browser engine, wherein the browser engine is for a web browser with which WebAssembly is compatible; based on invocation of a first target function of the plurality of target functions, determine a memory address of a first WebAssembly instance; read first data stored at the memory address; based on invocation of a second target function of the plurality of target functions, read second data stored at the memory address; determine whether the first data and the second data differ; and based on determining that the first data and the second data differ, detect an exploit targeting the web browser. 10 . The non-transitory machine-readable media of claim 9 further comprising instructions to record a copy of the first data in association with the memory address. 11 . The non-transitory machine-readable media of claim 10 wherein the instructions to hook into the plurality of target functions of the API comprise instructions to hook into a third target function of the API, wherein the third target function is a function for permissibly modifying memory allocated for a WebAssembly instance. 12 . The non-transitory machine-readable media of claim 11 , wherein the program code further comprises instructions to, based on invocation of the third target function, read third data stored at the memory address and replace the copy of the first data with a copy of the third data in the association with the memory address. 13 . The non-transitory machine-readable media of claim 9 , wherein the first target function is a function of the API for creating a WebAssembly instance, wherein the instructions to hook into the plurality of target functions comprise instructions to install a code hook to the first target function, wherein the instructions to determine the memory address of the first WebAssembly instance comprise instructions to determine the memory address based on a return value of the first target function. 14 . The non-transitory machine-readable media of claim 9 , wherein the second target function is a function of the API for invoked based on calling exported functions of a WebAssembly instance, wherein the instructions to hook into the plurality of target functions comprise instructions to install a code hook to the second target function. 15 . An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, install a plurality of code hooks into a corresponding plurality of functions of a WebAssembly engine application programming interface (API); based on creation of a WebAssembly instance triggering a first of the plurality of code hooks, determine a memory address associated with read-write-execute (RWX) memory allocated for the WebAssembly instance; record memory contents read from the memory address, wherein the memory contents have RWX permissions; based on a call to an exported function of the WebAssembly instance triggering a second of the plurality of code hooks, compare current memory contents of the RWX memory with the recorded memory contents; and based on a determination that the current memory contents and the recorded memory contents differ, detect a browser exploit. 16 . The apparatus of claim 15 , further comprising instructions executable by the processor to cause the apparatus to, based on modification of the memory contents triggering a third of the plurality of code hooks, update the recorded memory contents with modified memory contents read from the memory address, wherein the instructions executable by the processor to cause the apparatus to compare the current memory contents with the recorded memory contents comprise instructions executable by the processor to cause the apparatus to compare the current memory contents with the modified memory contents. 17 . The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to record the memory contents comprise instructions executable by the processor to cause the apparatus to record the memory contents in association with the memory address in a data structure. 18 . The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to install the plurality of code hooks comprise instructions executable by the processor to cause the apparatus to install the first code hook to a first function of the API, wherein the first function is a function for creation of WebAssembly instances, wherein the instructions executable by the processor to cause the apparatus to determine the memory address comprise instructions executable by the processor to cause the apparatus to determine the memory address based on a return value of the first function. 19 . The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to install the plurality of code hooks compri