J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim - - PowerPoint PPT Presentation

j force forced execution on javascript
SMART_READER_LITE
LIVE PREVIEW

J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim - - PowerPoint PPT Presentation

May 19, 2023 409 likes •629 views

J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim 1 , Chung-Hwan Kim 1 , Yonghwi Kwon 1 , Yunhui Zheng 2 , Xiangyu Zhang 1 , Dongyan Xu 1 1 Department of Computer Science, Purdue University 2 IBM T.J. Watson Research Center, USA

slide-1
SLIDE 1

J-FORCE: FORCED EXECUTION ON JAVASCRIPT

Kyungtae Kim1, I Luk Kim1, Chung-Hwan Kim1, Yonghwi Kwon1, Yunhui Zheng2, Xiangyu Zhang1, Dongyan Xu1

1Department of Computer Science, Purdue University 2IBM T.J. Watson Research Center, USA

slide-2
SLIDE 2

JavaScript Malware

User

Exploited Exploited

2

Malicious Server

Phishing email SEO attack Advertising Social network

slide-3
SLIDE 3

Malware Example

<html> … <script src=…> … </html>

http://mshops.com/shop.html

function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF Y+=8)...d5+=String.fromCharCode (...)...return..unescape(d5);}...lTZI 04 = FC3d(VkpZF , MG6V);eval(lTZI04);

http://mcaptains.com/case.js Exploit / Payload Exploit / Payload

k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A WFRMWtbFnshSQGIESFJaRB9 4ZxUBXVMbUeEVXXnddR9QG mpXbR9aa....”);...d.appendC hild(k);

http://myattention.net/default.js 3

ieTrue = navigator.userAgent. toLowerCase(); browserType = /msie[\/s]d+/i.test(ieTrue)… if(browserType) { ... /* attack code */ ... }

Ad Network

elem.onmouseover = function() { … head.appendChild(script); }

Deobfuscation Deobfuscation

slide-4
SLIDE 4

Malware Analysis

  • Static analysis
  • Zozzle (Usenix security ’11)
  • Dynamic analysis
  • JSAND (WWW’10), Nozzle (Usenix security ‘09)
  • Symbolic analysis
  • Jalangi (FSE’13), Rozzle (Oakland ’12)

4

Coverage Evasion Obfuscation Scalability Precision Static analysis Dynamic analysis Symbolic analysis

slide-5
SLIDE 5

Traditional Malware Analysis

<html> … <script src=…> … </html>

Exploit / Payload Exploit / Payload 5

ieTrue = navigator.userAgent. toLowerCase(); browserType = /msie[\/s]d+/i.test(ieTrue)… if(browserType) { ... /* malicious */ ... }

Ad Network

elem.onmouseover = function() { … head.appendChild(script); } function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF Y+=8)...d5+=String.fromCharCode (...)...return..unescape(d5);}...lTZI 04 = FC3d(VkpZF , MG6V);eval(lTZI04);

k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A WFRMWtbFnshSQGIESFJaRB9 4ZxUBXVMbUeEVXXnddR9QG mpXbR9aa....”);...d.appendCh ild(k);

Static and symbolic analysis fail to deobfuscate

slide-6
SLIDE 6

function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF Y+=8)...d5+=String.fromCharCode (...)...return..unescape(d5);}...lTZI 04 = FC3d(VkpZF , MG6V);eval(lTZI04);

Traditional Malware Analysis

<html> … <script src=…> … </html>

Exploit / Payload Exploit / Payload 6 Ad Network

elem.onmouseover = function() { … head.appendChild(script); } k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A WFRMWtbFnshSQGIESFJaRB9 4ZxUBXVMbUeEVXXnddR9QG mpXbR9aa....”);...d.appendC hild(k);

ieTrue = navigator.userAgent. toLowerCase(); browserType = /msie[\/s]d+/i.test(ieTrue)… if(browserType) { ... /* attack code */ ... }

Dynamic analysis fails due to evasion

slide-7
SLIDE 7

J-Force : Malware Analysis Engine

  • Forced execution engine on JavaScript
  • J-Force explores all execution paths by flipping the outcome of branch

predicates

  • J-Force addresses technical challenges to avoid crashes during multiple

execution

  • Handling event handlers
  • Force to execute handler code regardless of event condition
  • Fixed small time value for timer events
  • Handling dynamic code generation
  • Admit all code injections found along with multiple paths
  • E.g., eval(), <script> injection

7

slide-8
SLIDE 8

J-Force Execution Model

  • Per-script path exploration

<script> btn = document.createElement("button"); btn.id = "mybutton"; if (cond) { btn.innerHTML = "Remove"; } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script>

8

... <script> x = document.getElementById("mybutton"); ... </script> Execution #1

slide-9
SLIDE 9

J-Force Execution Model

  • Per-script path exploration

<script> btn = document.createElement("button"); btn.id = "mybutton"; if (cond) { btn.innerHTML = "Remove"; } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script>

9

... <script> x = document.getElementById("mybutton"); ... </script> Execution #2

slide-10
SLIDE 10

J-Force Execution Model

  • Handling inter-block dependences

<script> btn = document.createElement("button"); btn.id = "mybutton"; if (cond) { btn.innerHTML = "Remove"; } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script>

10

... <script> x = document.getElementById("mybutton"); ... </script>

slide-11
SLIDE 11

J-Force Execution Model

  • Handling inter-block dependences

<script> btn = document.createElement("button"); btn.id = "mybutton"; if (cond) { btn.innerHTML = "Remove"; } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script>

11

... <script> x = document.getElementById("mybutton"); ... </script> Execution #3

slide-12
SLIDE 12

J-Force on Malware Example

<html> … <script src=…> … </html>

function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF Y+=8)...d5+=String.fromCharCode (...)...return..unescape(d5);}...lTZI 04 = FC3d(VkpZF , MG6V);eval(lTZI04);

Exploit / Payload Exploit / Payload

k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A WFRMWtbFnshSQGIESFJaRB9 4ZxUBXVMbUeEVXXnddR9QG mpXbR9aa....”);...d.appendC hild(k);

12

ieTrue = navigator.userAgent. toLowerCase(); browserType = /msie[\/s]d+/i.test(ieTrue)… if(browserType) { ... /* attack code */ ... }

J-Force

if(browserType) if(browserType)

/*malicious*/ /*malicious*/

J-Force

if(browserType)

/*malicious*/

Ad Network

elem.onmouseover = function() { … head.appendChild(script); }

eval(lTZI04):

“elem.onmouseover = function() {…head.appendChild( script);}”

eval(lTZI04):

“elem.onmouseover = function() {…head.appendChild( script);}”

J-Force J-Force eval(lTZI04):

“elem.onmouseover = function() {…head.appendChild( script);}”

J-Force

slide-13
SLIDE 13

Crash Free Execution

  • Handling missing object/DOM
  • Keep track of missing object/DOM
  • Put them at the right place
  • Handling exception
  • Exception triggered by legacy APIs (e.g., attachEvent)
  • Place top-level handlers to handle uncaught exceptions
  • Page redirection
  • Load the target page in a separate frame
  • Each frame is independent to each other

13

slide-14
SLIDE 14

Handling Missing Object

x = new XMLHttpRequest(); ... if (cond) x = null; if (x == null) return; x.send(); x = new XMLHttpRequest(); ... if (cond) x = null; if (x == null) return; x.send();

fault Execution #1 Execution #2

14

slide-15
SLIDE 15

Handling Missing Object

  • 1. x = new XMLHttpRequest();
  • 2. ...
  • 3. if (cond)
  • 4. x = null;
  • 5. if (x == null)
  • 6. return;
  • 7. x.send();

crash Execution #2

15

// <- ( Def1 | Def2 ) // -> Def1 // -> Def2

slide-16
SLIDE 16

Evaluation

  • Implemented on WebKit-r171233 with GTK+ port
  • Effectiveness
  • Exploit Kit
  • Chrome extensions
  • Efficiency
  • Performance overhead
  • Code coverage

16

slide-17
SLIDE 17

Experiment on Exploit Kit

  • 50 exploit kit samples
  • http://malware-traffic-analysis.net/index.html
  • 5 Exploit kit types (each one has 10 samples)
  • 4 general steps
  • Obfuscation, Evasion, Exploiting vulnerabilities, Payload delivery

17

2 4 6 8 10 Native Rozzle WebEval J-Force SweetOrange Magnitude Nuclear Rig Angler 2 4 6 8 10 Native Rozzle WebEval J-Force SweetOrange Magnitude Nuclear Rig Angler

# of Handled Obfuscations # of Handled Evasions

slide-18
SLIDE 18

Experiment on Chrome Extensions

  • Crawled 12,123 extensions from Chrome Web Store
  • Simulated Chrome specific APIs
  • Two suspicious behaviors
  • Information leak
  • Ad-injection

18

100 200 300 400 Hulk Expector WebEval J-Force Information Leak Ad-Injection

J-Force: 352 cases Others: less than 209 cases

slide-19
SLIDE 19

Efficiency

  • Extracted 100 JavaScript samples from Alexa domain
  • Code Coverage
  • Performance Overhead

19

J-Force: 95% coverage Concolic: less than 70% J-Force (L-path): 2-8 times J-Force (E-path): 2-300 times Concolic: 10-10,000 times

slide-20
SLIDE 20

Conclusion

  • J-Force is a forced execution engine that explores all possible

paths to expose hidden malware behaviors.

  • J-Force addresses technical challenges to avoid crash during

continuous path exploration.

  • We validate the efficacy of J-Force through an extensive set of

experiments on real-world examples.

20

slide-21
SLIDE 21

Q & A

  • Thank you for listening!

21