skip to main content
10.1145/3038912.3052674acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article
Public Access

J-Force: Forced Execution on JavaScript

Published: 03 April 2017 Publication History

Abstract

Web-based malware equipped with stealthy cloaking and obfuscation techniques is becoming more sophisticated nowadays. In this paper, we propose J-FORCE, a crash-free forced JavaScript execution engine to systematically explore possible execution paths and reveal malicious behaviors in such malware. In particular, J-FORCE records branch outcomes and mutates them for further explorations. J-FORCE inspects function parameter values that may reveal malicious intentions and expose suspicious DOM injections. We addressed a number of technical challenges encountered. For instance, we keep track of missing objects and DOM elements, and create them on demand. To verify the efficacy of our techniques, we apply J-FORCE to detect Exploit Kit (EK) attacks and malicious Chrome extensions. We observe that J-FORCE is more effective compared to the existing tools.

References

[1]
http://malware.dontneedcoffee.com.
[2]
http://http://malware-traffic-analysis.net.
[3]
Adblock plus. https://adblockplus.org.
[4]
Blockadblock. http://blockadblock.com.
[5]
Chrome Web Store. https://chrome.google.com/webstore.
[6]
Clickfraud. http://digitalmarketingmagazine.co.uk/digital-marketing-advertising/the-crooks-willing-to-put-you-out-of-business-for-5/1740.
[7]
Cryptolocker: What is and how to avoid it. http://www.pandasecurity.com/mediacenter/malware/cryptolocker/.
[8]
JSHint. http://jshint.com.
[9]
JSLint. http://www.jslint.com.
[10]
Malvertising, Exploit Kits, ClickFraud & Ransomware: A Thriving Underground Economy. https://www.zscaler.com/blogs/research/malvertising-exploit-kits-clickfraud-ransomware-thriving-underground-economy.
[11]
Y. Cao, X. Pan, Y. Chen, and J. Zhuge. Jshield: towards real-time and vulnerability-based detection of polluted drive-by download attacks. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 466--475. ACM, 2014.
[12]
H. Chen, T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek. Identifying information disclosure in web applications with retroactive auditing. In OSDI, pages 555--569, 2014.
[13]
M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th international conference on World wide web, pages 281--290. ACM, 2010.
[14]
C. Curtsinger, B. Livshits, B. G. Zorn, and C. Seifert. Zozzle: Fast and precise in-browser javascript malware detection. In USENIX Security Symposium, pages 33--48, 2011.
[15]
Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu. iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 44--56. ACM, 2015.
[16]
L. Gong, M. Pradel, M. Sridharan, and K. Sen. Dlint: Dynamically checking bad coding practices in javascript. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 94--105. ACM, 2015.
[17]
L. Invernizzi and P. M. Comparetti. Evilseed: A guided approach to finding malicious web pages. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 428--442. IEEE, 2012.
[18]
N. Jagpal, E. Dingle, J.-P. Gravel, P. Mavrommatis, N. Provos, M. A. Rajab, and K. Thomas. Trends and lessons from three years fighting malicious extensions. In 24th USENIX Security Symposium (USENIX Security 15), pages 579--593, 2015.
[19]
R. Johnson and A. Stavrou. Forced-path execution for android applications on x86 platforms. In Software Security and Reliability-Companion (SERE-C), 2013 IEEE 7th International Conference on, pages 188--197. IEEE, 2013.
[20]
A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna, and V. Paxson. Hulk: Eliciting malicious behavior in browser extensions. In Proceedings of the 23rd Usenix Security Symposium, 2014.
[21]
A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna. Revolver: An automated approach to the detection of evasive web-based malware. In USENIX Security, pages 637--652. Citeseer, 2013.
[22]
C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 443--457. IEEE, 2012.
[23]
S. Lekies, B. Stock, M. Wentzel, and M. Johns. The unexpected dangers of dynamic javascript. In 24th USENIX Security Symposium (USENIX Security 15), pages 723--735, Washington, D.C., Aug. 2015. USENIX Association.
[24]
E. Mutlu, S. Tasiran, and B. Livshits. Detecting javascript races that matter. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, pages 381--392, New York, NY, USA, 2015. ACM.
[25]
C. Neasbitt, B. Li, R. Perdisci, L. Lu, K. Singh, and K. Li. Webcapsule: Towards a lightweight forensic engine for web browsers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 133--145. ACM, 2015.
[26]
F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, San Diego, CA (August 2014), 2014.
[27]
P. Ratanaworabhan, V. B. Livshits, and B. G. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In USENIX Security Symposium, pages 169--186, 2009.
[28]
V. Raychev, M. Vechev, and A. Krause. Predicting program properties from big code. In ACM SIGPLAN Notices, volume 50, pages 111--124. ACM, 2015.
[29]
V. Raychev, M. Vechev, and M. Sridharan. Effective race detection for event-driven programs. In ACM SIGPLAN Notices, volume 48, pages 151--166. ACM, 2013.
[30]
K. Sadalkar, R. Mohandas, and A. R. Pais. Model based hybrid approach to prevent sql injection attacks in php. In Security Aspects in Information Technology, pages 3--15. Springer, 2011.
[31]
P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 513--528. IEEE, 2010.
[32]
K. Sen, S. Kalasapur, T. Brutch, and S. Gibbs. Jalangi: A selective record-replay and dynamic analysis framework for javascript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pages 488--498. ACM, 2013.
[33]
K. Sen, G. Necula, L. Gong, and W. Choi. Multise: Multi-path symbolic execution using value summaries. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pages 842--853. ACM, 2015.
[34]
Y. Takata, M. Akiyama, T. Yagi, T. Hariu, and S. Goto. Minespider: Extracting urls from environment-dependent drive-by download attacks. In Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, volume 2, pages 444--449. IEEE, 2015.
[35]
D. Y. Wang, S. Savage, and G. M. Voelker. Cloak and dagger: dynamics of web search cloaking. In Proceedings of the 18th ACM conference on Computer and communications security, pages 477--490. ACM, 2011.
[36]
J. Wilhelm and T.-c. Chiueh. A forced sampled execution approach to kernel rootkit identification. In International Workshop on Recent Advances in Intrusion Detection, pages 219--235. Springer, 2007.
[37]
X. Xing, W. Meng, B. Lee, U. Weinsberg, A. Sheth, R. Perdisci, and W. Lee. Understanding malvertising through ad-injecting browser extensions. In Proceedings of the 24th International Conference on World Wide Web, pages 1286--1295. International World Wide Web Conferences Steering Committee, 2015.
[38]
Y. Zheng, T. Bao, and X. Zhang. Statically locating web application bugs caused by asynchronous calls. In Proceedings of the 20th international conference on World wide web, pages 805--814. ACM, 2011.
[39]
Y. Zhou and D. Evans. Understanding and monitoring embedded web scripts. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 850--865. IEEE, 2015.

Cited By

View all
  • (2024)A Packet Content-Oriented Remote Code Execution Attack Payload Detection ModelFuture Internet10.3390/fi1607023516:7(235)Online publication date: 2-Jul-2024
  • (2024)Blocking Tracking JavaScript at the Function GranularityProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670329(2177-2191)Online publication date: 2-Dec-2024
  • (2024)Reducing Static Analysis Unsoundness with Approximate InterpretationProceedings of the ACM on Programming Languages10.1145/36564248:PLDI(1165-1188)Online publication date: 20-Jun-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
WWW '17: Proceedings of the 26th International Conference on World Wide Web
April 2017
1678 pages
ISBN:9781450349130

Sponsors

  • IW3C2: International World Wide Web Conference Committee

In-Cooperation

Publisher

International World Wide Web Conferences Steering Committee

Republic and Canton of Geneva, Switzerland

Publication History

Published: 03 April 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. evasion
  2. javascript
  3. malware
  4. security

Qualifiers

  • Research-article

Funding Sources

  • DARPA
  • NSF
  • ONR
  • Cisco Systems

Conference

WWW '17
Sponsor:
  • IW3C2

Acceptance Rates

WWW '17 Paper Acceptance Rate 164 of 966 submissions, 17%;
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)220
  • Downloads (Last 6 weeks)43
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Packet Content-Oriented Remote Code Execution Attack Payload Detection ModelFuture Internet10.3390/fi1607023516:7(235)Online publication date: 2-Jul-2024
  • (2024)Blocking Tracking JavaScript at the Function GranularityProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670329(2177-2191)Online publication date: 2-Dec-2024
  • (2024)Reducing Static Analysis Unsoundness with Approximate InterpretationProceedings of the ACM on Programming Languages10.1145/36564248:PLDI(1165-1188)Online publication date: 20-Jun-2024
  • (2024)SelfPiCo: Self-Guided Partial Code Execution with LLMsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680368(1389-1401)Online publication date: 11-Sep-2024
  • (2024)Define-Use Guided Path Exploration for Better Forced ExecutionProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652128(287-299)Online publication date: 11-Sep-2024
  • (2024)Detecting and Understanding Self-Deleting JavaScript CodeProceedings of the ACM Web Conference 202410.1145/3589334.3645540(1768-1778)Online publication date: 13-May-2024
  • (2024)LightJD: A Lightweight JavaScript Drive-by Download Detection Framework2024 IEEE 2nd International Conference on Sensors, Electronics and Computer Engineering (ICSECE)10.1109/ICSECE61636.2024.10729359(190-196)Online publication date: 29-Aug-2024
  • (2024)JSMBox—A Runtime Monitoring Framework for Analyzing and Classifying Malicious JavaScriptSoftware and Data Engineering10.1007/978-3-031-75201-8_8(100-122)Online publication date: 19-Oct-2024
  • (2023)LExecutor: Learning-Guided ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616254(1522-1534)Online publication date: 30-Nov-2023
  • (2023)An Empirical Study on the Effects of Obfuscation on Static Machine Learning-Based Malicious JavaScript DetectorsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598146(1420-1432)Online publication date: 12-Jul-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media