J-Force: Forced Execution on JavaScript

Web-based malware equipped with stealthy cloaking and obfuscation techniques is becoming more sophisticated nowadays. In this paper, we propose J-FORCE, a crash-free forced JavaScript execution engine to systematically explore possible execution paths and reveal malicious behaviors in such malware. In particular, J-FORCE records branch outcomes and mutates them for further explorations. J-FORCE inspects function parameter values that may reveal malicious intentions and expose suspicious DOM injections. We addressed a number of technical challenges encountered. For instance, we keep track of missing objects and DOM elements, and create them on demand. To verify the efficacy of our techniques, we apply J-FORCE to detect Exploit Kit (EK) attacks and malicious Chrome extensions. We observe that J-FORCE is more effective compared to the existing tools.

[1]  Bo Li,et al.  WebCapsule: Towards a Lightweight Forensic Engine for Web Browsers , 2015, CCS.

[2]  Tzi-cker Chiueh,et al.  A Forced Sampled Execution Approach to Kernel Rootkit Identification , 2007, RAID.

[3]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[4]  Yuta Takata,et al.  MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[5]  Benjamin Livshits,et al.  Detecting JavaScript races that matter , 2015, ESEC/SIGSOFT FSE.

[6]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[7]  Angelos Stavrou,et al.  Forced-Path Execution for Android Applications on x86 Platforms , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[8]  Ben Stock,et al.  The Unexpected Dangers of Dynamic JavaScript , 2015, USENIX Security Symposium.

[9]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[10]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[11]  Manu Sridharan,et al.  Effective race detection for event-driven programs , 2013, OOPSLA.

[12]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[13]  Xiangyu Zhang,et al.  Statically locating web application bugs caused by asynchronous calls , 2011, WWW.

[14]  Koushik Sen,et al.  MultiSE: multi-path symbolic execution using value summaries , 2015, ESEC/SIGSOFT FSE.

[15]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[16]  Alwyn Roshan Pais,et al.  Model Based Hybrid Approach to Prevent SQL Injection Attacks in PHP , 2011, InfoSecHiComNet.

[17]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[18]  Andreas Krause,et al.  Predicting Program Properties from "Big Code" , 2015, POPL.

[19]  Yuchen Zhou,et al.  Understanding and Monitoring Embedded Web Scripts , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Christopher Krügel,et al.  Revolver: An Automated Approach to the Detection of Evasive Web-based Malware , 2013, USENIX Security Symposium.

[21]  Manu Sridharan,et al.  DLint: dynamically checking bad coding practices in JavaScript , 2015, ISSTA.

[22]  References , 1971 .

[23]  Niels Provos,et al.  Trends and Lessons from Three Years Fighting Malicious Extensions , 2015, USENIX Security Symposium.

[24]  Xiang Pan,et al.  JShield: towards real-time and vulnerability-based detection of polluted drive-by download attacks , 2014, ACSAC.

[25]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[26]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  Xi Wang,et al.  Identifying Information Disclosure in Web Applications with Retroactive Auditing , 2014, OSDI.

[28]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[29]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.