Abstract
JavaScript has been used to exploit binary vulnerabilities of host software that are otherwise difficult to exploit; they impose a severe threat to computer security. Although software vendors have deployed techniques like ASLR, sandbox, etc. to mitigate JavaScript exploits, hacking contests (e.g.,Pwn2Own, GeekPwn) have demonstrated that the latest software (e.g., Chrome, IE, Edge, Safari) can still be exploited. An ideal JavaScript exploit mitigation solution should be flexible and allow for deployment without requiring code changes. To this end, we propose ChaffyScript, a vulnerability-agnostic mitigation system that thwarts JavaScript exploits via undermining the memory preparation stage of exploits. We implement a prototype of ChaffyScript, and our evaluation shows that it defeats the 11 latest JavaScript exploits with minimal runtime and memory overhead. It incurs at most 5.88% runtime overhead for chrome and 12.96% for FireFox. The maximal memory overhead JS heap usage, observed using the Octane benchmark, was 8.2%. To demonstrate the deployment flexibility of ChaffyScript, we have integrated it into a web proxy.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
ActionScript technology center (2017). http://www.adobe.com/devnet/actionscript.html
AKBuilder (2017). https://nakedsecurity.sophos.com/2017/02/07/akbuilder-is-the-latest-exploit-kit-to-target-word-documents-spread-malware/
The art of leaks: the return of Feng Shui (2017). https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf
ASLR bypass apocalypse in recent zero-day exploits (2017). https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html
ChakraCore JavaScript Engine (2017). https://github.com/Microsoft/ChakraCore
Chrome V8 Engine (2017). https://developers.google.com/v8/
Control flow guard (2017). https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
CVE details (2017). http://www.cvedetails.com/
ECMAScript JS AST traversal functions (2017). https://github.com/estools/estraverse
ECMAScript parsing infrastructure for multipurpose analysis (2017). http://esprima.org/
The enhanced mitigation experience toolkit (2017). https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
GeekPwn (2017). http://2017.geekpwn.org/1024/en/index.html
HTTP mitmproxy (2017). https://github.com/joeferner/node-http-mitm-proxy
The JavaScript Benchmark suite for the modern web (2017). https://developers.google.com/octane/
Javascriptcore (2017). https://trac.webkit.org/wiki/JavaScriptCore
Lexer confusing attack (2017). https://github.com/google/caja/wiki/JsControlFormatChars
Node.js. (2017) https://nodejs.org/en/
Proof-of-concept exploit for CVE-2016-0189 (VBScript memory corruption in ie11) (2017). https://github.com/theori-io/cve-2016-0189
Pwn2Own (2017). https://en.wikipedia.org/wiki/Pwn2Own
ROP is dying and your exploit mitigations are on life support (2017). https://www.endgame.com/blog/technical-blog/rop-dying-and-your-exploit-mitigations-are-life-support
SpiderMonkey JavaScript engine (2017). https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
VBScript (2017). https://en.wikipedia.org/wiki/VBScript
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security 2005, pp. 340–353. ACM (2005)
Anderson, C., Giannini, P., Drossopoulou, S.: Towards type inference for JavaScript. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 428–452. Springer, Heidelberg (2005). https://doi.org/10.1007/11531142_19
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 2008 Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)
Carmony, C., Hu, X., Yin, H., Bhaskar, A.V., Zhang, M.: Abusing PDF parsers in malware detectors. In: NDSS, Extract Me If You Can (2016)
Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C. StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: NDSS (2015)
Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H., et al.: ROPecker: a generic and practical approach for defending against ROP attack
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Department of Computer Science, The University of Auckland, New Zealand, Technical report (1997)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious Javascript code. In: Proceedings of the 19th International Conference on World Wide Web (2010)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser JavaScript malware detection. In: USENIX Security Symposium (2011)
Daniel, M., Honoroff, J., Miller, C.: Engineering heap overflow exploits with JavaScript, WOOT, vol. 8, pp. 1–6 (2008)
Feinstein, B., Peck, D., SecureWorks, I.: Caffeine monkey: automated collection, detection and analysis of malicious Javascript. Black Hat, USA (2007)
Gadaleta, F., Younan, Y., Joosen, W.: BuBBle: a JavaScript engine level countermeasure against heap-spraying attacks. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 1–17. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_1
Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C. ASLR on the line: practical cache attacks on the MMU. In: NDSS, February 2017 (2017)
Grier, et al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (2012), pp. 821–832. ACM (2012)
Hartstein, B. Jsunpack: an automatic JavaScript unpacker. In: ShmooCon Convention (2009)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: 2003 Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, New York, NY, USA, pp. 272–280. ACM (2003)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: 2006 Proceedings of the 2006 ACM symposium on Applied computing, pp. 330–337. ACM (2006)
Larsen, P., Homescu, A., Brunthaler, S., Franz, M. SoK: automated software diversity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 276–291. IEEE (2014)
Likarish, P., Jung, E., Jo, I.: Obfuscated malicious JavaScript detection using classification techniques. In: MALWARE (2009), pp. 47–54. Citeseer (2009)
Lu, G., Debray, S.: Automatic simplification of obfuscated JavaScript code: a semantics-based approach. In: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability (2012)
Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-guard: stopping address space leakage for code reuse attacks. In: 2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 280–291. ACM (2015)
Maisuradze, G., Backes, M., Rossow, C.: Dachshund: Digging for and Securing Against (non-) Blinded Constants in JIT Code (2017)
Meyerovich, L.A., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 481–496. IEEE (2010)
Prakash, A., Yin, H., Liang, Z.: Enforcing system-wide control flow integrity for exploit detection and diagnosis. In: 2013 Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 311–322. ACM (2013)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. ACM Trans. Web (TWEB) 1(3), 11 (2007)
Seifert, C., Welch, I., Komisarczuk, P.: Identification of malicious web pages with static heuristics. In: 2008 Australasian Telecommunication Networks and Applications Conference, ATNAC 2008, pp. 91–96. IEEE (2008)
Serna, F.J.: The info leak era on software exploitation. Black Hat, USA (2012)
Sintsov, A.: Writing JIT-Spray Shellcode for fun and profit. Writing (2010)
Sotirov, A.: Heap Feng Shui in JavaScript. Black Hat Europe (2007)
Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security Symposium, pp. 941–955 (2014)
Tran, T., Pelizzi, R., Sekar, R.: JaTE: transparent and efficient JavaScript confinement. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 151–160. ACM (2015)
Yee, B., et al.: Native client: a sandbox for portable, untrusted x86 native code. In: Security and Privacy, 2009 30th IEEE Symposium on 2009, pp. 79–93. IEEE (2009)
Yu, Y.: Write once, Pwn anywhere. Black Hat (2014)
Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Hu, X., Testa, B., Yin, H. (2019). ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-37228-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37227-9
Online ISBN: 978-3-030-37228-6
eBook Packages: Computer ScienceComputer Science (R0)