Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2019: Security and Privacy in Communication Networks pp 191–213Cite as

ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation

  • Conference paper
  • First Online:

  • 1234 Accesses

Abstract

JavaScript has been used to exploit binary vulnerabilities of host software that are otherwise difficult to exploit; they impose a severe threat to computer security. Although software vendors have deployed techniques like ASLR, sandbox, etc. to mitigate JavaScript exploits, hacking contests (e.g.,Pwn2Own, GeekPwn) have demonstrated that the latest software (e.g., Chrome, IE, Edge, Safari) can still be exploited. An ideal JavaScript exploit mitigation solution should be flexible and allow for deployment without requiring code changes. To this end, we propose ChaffyScript, a vulnerability-agnostic mitigation system that thwarts JavaScript exploits via undermining the memory preparation stage of exploits. We implement a prototype of ChaffyScript, and our evaluation shows that it defeats the 11 latest JavaScript exploits with minimal runtime and memory overhead. It incurs at most 5.88% runtime overhead for chrome and 12.96% for FireFox. The maximal memory overhead JS heap usage, observed using the Octane benchmark, was 8.2%. To demonstrate the deployment flexibility of ChaffyScript, we have integrated it into a web proxy.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. ActionScript technology center (2017). http://www.adobe.com/devnet/actionscript.html

  2. AKBuilder (2017). https://nakedsecurity.sophos.com/2017/02/07/akbuilder-is-the-latest-exploit-kit-to-target-word-documents-spread-malware/

  3. The art of leaks: the return of Feng Shui (2017). https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf

  4. ASLR bypass apocalypse in recent zero-day exploits (2017). https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html

  5. ChakraCore JavaScript Engine (2017). https://github.com/Microsoft/ChakraCore

  6. Chrome V8 Engine (2017). https://developers.google.com/v8/

  7. Control flow guard (2017). https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

  8. CVE details (2017). http://www.cvedetails.com/

  9. ECMAScript JS AST traversal functions (2017). https://github.com/estools/estraverse

  10. ECMAScript parsing infrastructure for multipurpose analysis (2017). http://esprima.org/

  11. The enhanced mitigation experience toolkit (2017). https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit

  12. GeekPwn (2017). http://2017.geekpwn.org/1024/en/index.html

  13. HTTP mitmproxy (2017). https://github.com/joeferner/node-http-mitm-proxy

  14. The JavaScript Benchmark suite for the modern web (2017). https://developers.google.com/octane/

  15. Javascriptcore (2017). https://trac.webkit.org/wiki/JavaScriptCore

  16. Lexer confusing attack (2017). https://github.com/google/caja/wiki/JsControlFormatChars

  17. Node.js. (2017) https://nodejs.org/en/

  18. Proof-of-concept exploit for CVE-2016-0189 (VBScript memory corruption in ie11) (2017). https://github.com/theori-io/cve-2016-0189

  19. Pwn2Own (2017). https://en.wikipedia.org/wiki/Pwn2Own

  20. ROP is dying and your exploit mitigations are on life support (2017). https://www.endgame.com/blog/technical-blog/rop-dying-and-your-exploit-mitigations-are-life-support

  21. SpiderMonkey JavaScript engine (2017). https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey

  22. VBScript (2017). https://en.wikipedia.org/wiki/VBScript

  23. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security 2005, pp. 340–353. ACM (2005)

    Google Scholar 

  24. Anderson, C., Giannini, P., Drossopoulou, S.: Towards type inference for JavaScript. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 428–452. Springer, Heidelberg (2005). https://doi.org/10.1007/11531142_19

    Chapter  Google Scholar 

  25. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 2008 Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)

    Google Scholar 

  26. Carmony, C., Hu, X., Yin, H., Bhaskar, A.V., Zhang, M.: Abusing PDF parsers in malware detectors. In: NDSS, Extract Me If You Can (2016)

    Google Scholar 

  27. Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C. StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: NDSS (2015)

    Google Scholar 

  28. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H., et al.: ROPecker: a generic and practical approach for defending against ROP attack

    Google Scholar 

  29. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Department of Computer Science, The University of Auckland, New Zealand, Technical report (1997)

    Google Scholar 

  30. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious Javascript code. In: Proceedings of the 19th International Conference on World Wide Web (2010)

    Google Scholar 

  31. Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser JavaScript malware detection. In: USENIX Security Symposium (2011)

    Google Scholar 

  32. Daniel, M., Honoroff, J., Miller, C.: Engineering heap overflow exploits with JavaScript, WOOT, vol. 8, pp. 1–6 (2008)

    Google Scholar 

  33. Feinstein, B., Peck, D., SecureWorks, I.: Caffeine monkey: automated collection, detection and analysis of malicious Javascript. Black Hat, USA (2007)

    Google Scholar 

  34. Gadaleta, F., Younan, Y., Joosen, W.: BuBBle: a JavaScript engine level countermeasure against heap-spraying attacks. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 1–17. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_1

    Chapter  Google Scholar 

  35. Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C. ASLR on the line: practical cache attacks on the MMU. In: NDSS, February 2017 (2017)

    Google Scholar 

  36. Grier, et al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (2012), pp. 821–832. ACM (2012)

    Google Scholar 

  37. Hartstein, B. Jsunpack: an automatic JavaScript unpacker. In: ShmooCon Convention (2009)

    Google Scholar 

  38. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: 2003 Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, New York, NY, USA, pp. 272–280. ACM (2003)

    Google Scholar 

  39. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: 2006 Proceedings of the 2006 ACM symposium on Applied computing, pp. 330–337. ACM (2006)

    Google Scholar 

  40. Larsen, P., Homescu, A., Brunthaler, S., Franz, M. SoK: automated software diversity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 276–291. IEEE (2014)

    Google Scholar 

  41. Likarish, P., Jung, E., Jo, I.: Obfuscated malicious JavaScript detection using classification techniques. In: MALWARE (2009), pp. 47–54. Citeseer (2009)

    Google Scholar 

  42. Lu, G., Debray, S.: Automatic simplification of obfuscated JavaScript code: a semantics-based approach. In: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability (2012)

    Google Scholar 

  43. Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-guard: stopping address space leakage for code reuse attacks. In: 2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 280–291. ACM (2015)

    Google Scholar 

  44. Maisuradze, G., Backes, M., Rossow, C.: Dachshund: Digging for and Securing Against (non-) Blinded Constants in JIT Code (2017)

    Google Scholar 

  45. Meyerovich, L.A., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 481–496. IEEE (2010)

    Google Scholar 

  46. Prakash, A., Yin, H., Liang, Z.: Enforcing system-wide control flow integrity for exploit detection and diagnosis. In: 2013 Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 311–322. ACM (2013)

    Google Scholar 

  47. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. ACM Trans. Web (TWEB) 1(3), 11 (2007)

    Article  Google Scholar 

  48. Seifert, C., Welch, I., Komisarczuk, P.: Identification of malicious web pages with static heuristics. In: 2008 Australasian Telecommunication Networks and Applications Conference, ATNAC 2008, pp. 91–96. IEEE (2008)

    Google Scholar 

  49. Serna, F.J.: The info leak era on software exploitation. Black Hat, USA (2012)

    Google Scholar 

  50. Sintsov, A.: Writing JIT-Spray Shellcode for fun and profit. Writing (2010)

    Google Scholar 

  51. Sotirov, A.: Heap Feng Shui in JavaScript. Black Hat Europe (2007)

    Google Scholar 

  52. Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security Symposium, pp. 941–955 (2014)

    Google Scholar 

  53. Tran, T., Pelizzi, R., Sekar, R.: JaTE: transparent and efficient JavaScript confinement. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 151–160. ACM (2015)

    Google Scholar 

  54. Yee, B., et al.: Native client: a sandbox for portable, untrusted x86 native code. In: Security and Privacy, 2009 30th IEEE Symposium on 2009, pp. 79–93. IEEE (2009)

    Google Scholar 

  55. Yu, Y.: Write once, Pwn anywhere. Black Hat (2014)

    Google Scholar 

  56. Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DeepBits Technology LLC, Riverside, USA

    Xunchao Hu

  2. Syracuse University, Syracuse, USA

    Xunchao Hu & Brian Testa

  3. University of California, Riverside, USA

    Heng Yin

Authors
  1. Xunchao Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Brian Testa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Heng Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xunchao Hu .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hu, X., Testa, B., Yin, H. (2019). ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37228-6_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37227-9

  • Online ISBN: 978-3-030-37228-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation