J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim - PowerPoint PPT Presentation

J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim 1 , Chung-Hwan Kim 1 , Yonghwi Kwon 1 , Yunhui Zheng 2 , Xiangyu Zhang 1 , Dongyan Xu 1 1 Department of Computer Science, Purdue University 2 IBM T.J. Watson Research Center, USA

JavaScript Malware SEO attack Advertising Social network Exploited Exploited Phishing email Malicious User Server 2

Malware Example http://mcaptains.com/case.js Deobfuscation function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF elem. onmouseover = function() Y+=8)...d5+=String.fromCharCode http://mshops.com/shop.html Ad { (...)...return..unescape(d5);}...lTZI Network 04 = FC3d(VkpZF , … <html> MG6V); eval(lTZI04); head. appendChild (script); … } <script src=…> … </html> http://myattention.net/default.js k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A ieTrue = navigator.userAgent. WFRMWtbFnshSQGIESFJaRB9 toLowerCase(); browserType Exploit / Exploit / 4ZxUBXVMbUeEVXXnddR9QG = /msie[\/s]d+/i.test(ieTrue)… Payload Payload mpXbR9aa....”);...d. appendC if( browserType ) { hild (k); ... /* attack code */ ... Deobfuscation } 3

Malware Analysis • Static analysis • Zozzle (Usenix security ’11) • Dynamic analysis • JSAND (WWW’10), Nozzle (Usenix security ‘09) • Symbolic analysis • Jalangi (FSE’13), Rozzle (Oakland ’12) Coverage Evasion Obfuscation Scalability Precision Static analysis Dynamic analysis Symbolic analysis 4

Static and symbolic Traditional Malware Analysis analysis fail to deobfuscate function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF elem. onmouseover = function() { Ad Y+=8)...d5+=String.fromCharCode Network … (...)...return..unescape(d5);}...lTZI <html> head. appendChild (script); 04 = FC3d(VkpZF , … } MG6V);eval(lTZI04); <script src=…> … </html> k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A ieTrue = navigator.userAgent. WFRMWtbFnshSQGIESFJaRB9 toLowerCase(); browserType Exploit / Exploit / 4ZxUBXVMbUeEVXXnddR9QG = /msie[\/s]d+/i.test(ieTrue)… Payload Payload mpXbR9aa....”);...d.appendCh if( browserType ) { ild(k); ... /* malicious */ ... } 5

Traditional Malware Analysis function FC3d(DzV, lm8H2) { for(HPFY=0;DVz.length>HPFY;HPF elem. onmouseover = function() Ad Y+=8)...d5+=String.fromCharCode Network { (...)...return..unescape(d5);}...lTZI <html> 04 = FC3d(VkpZF … , … MG6V);eval(lTZI04); head. appendChild (script); <script src=…> } … </html> k=document[‘createElement’] (‘script’)…k[‘text’]=S5SSQ(“A ieTrue = navigator.userAgent. WFRMWtbFnshSQGIESFJaRB9 toLowerCase(); browserType Exploit / Exploit / 4ZxUBXVMbUeEVXXnddR9QG = /msie[\/s]d+/i.test(ieTrue)… Payload Payload mpXbR9aa....”);...d. appendC if( browserType ) { hild (k); ... /* attack code */ ... } Dynamic analysis fails due to evasion 6

J-Force : Malware Analysis Engine • Forced execution engine on JavaScript • J-Force explores all execution paths by flipping the outcome of branch predicates • J-Force addresses technical challenges to avoid crashes during multiple execution • Handling event handlers • Force to execute handler code regardless of event condition • Fixed small time value for timer events • Handling dynamic code generation • Admit all code injections found along with multiple paths • E.g., eval(), <script> injection 7

J-Force Execution Model • Per-script path exploration Execution #1 <script> ... <script> btn = document.createElement("button"); x = document.getElementById(" mybutton "); btn.id = "mybutton"; if (cond) { ... btn.innerHTML = "Remove"; </script> } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script> 8

J-Force Execution Model • Per-script path exploration Execution #2 <script> ... <script> btn = document.createElement("button"); x = document.getElementById(" mybutton "); btn.id = "mybutton"; if (cond) { ... btn.innerHTML = "Remove"; </script> } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script> 9

J-Force Execution Model • Handling inter-block dependences <script> ... <script> btn = document.createElement("button"); x = document.getElementById(" mybutton "); btn.id = "mybutton"; ... if (cond) { </script> btn.innerHTML = "Remove"; } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script> 10

J-Force Execution Model • Handling inter-block dependences Execution #3 <script> ... <script> btn = document.createElement("button"); x = document.getElementById(" mybutton "); btn.id = "mybutton"; ... if (cond) { </script> btn.innerHTML = "Remove"; } else { btn.innerHTML = "Skip"; } document.body.appendChild(btn); </script> 11

J-Force on Malware Example J-Force J-Force J-Force eval (lTZI04): eval (lTZI04): eval (lTZI04): “elem.onmouseover “elem.onmouseover “elem.onmouseover = function() = function() = function() function FC3d(DzV, lm8H2) { {…head.appendChild( {…head.appendChild( {…head.appendChild( for(HPFY=0;DVz.length>HPFY;HPF script);}” script);}” script);}” elem. onmouseover = function() Ad Y+=8)...d5+=String.fromCharCode Network (...)...return..unescape(d5);}...lTZI { <html> 04 = FC3d(VkpZF , … … MG6V); eval(lTZI04); head. appendChild (script); <script src=…> } … </html> Exploit / Exploit / k=document[‘createElement’] Payload Payload (‘script’)…k[‘text’]=S5SSQ(“A ieTrue = navigator.userAgent. WFRMWtbFnshSQGIESFJaRB9 toLowerCase(); browserType 4ZxUBXVMbUeEVXXnddR9QG = /msie[\/s]d+/i.test(ieTrue)… J-Force J-Force mpXbR9aa....”);...d. appendC if( browserType ) { hild (k); ... /* attack code */ if( browserType ) if( browserType ) if( browserType ) ... } /* malicious */ /* malicious */ /* malicious */ … … 12

Crash Free Execution • Handling missing object/DOM • Keep track of missing object/DOM • Put them at the right place • Handling exception • Exception triggered by legacy APIs (e.g., attachEvent ) • Place top-level handlers to handle uncaught exceptions • Page redirection • Load the target page in a separate frame • Each frame is independent to each other 13

Handling Missing Object Execution #1 Execution #2 x = new XMLHttpRequest(); x = new XMLHttpRequest(); ... ... if (cond) if (cond) x = null; x = null; if (x == null) if (x == null) return; return; x.send(); x.send(); fault 14

Handling Missing Object Execution #2 1. x = new XMLHttpRequest(); // -> Def 1 2. ... 3. if (cond) 4. x = null; // -> Def 2 5. if (x == null) 6. return; 7. x.send(); // <- ( Def 1 | Def 2 ) crash 15

Evaluation • Implemented on WebKit-r171233 with GTK+ port • Effectiveness • Exploit Kit • Chrome extensions • Efficiency • Performance overhead • Code coverage 16

Experiment on Exploit Kit • 50 exploit kit samples • http://malware-traffic-analysis.net/index.html • 5 Exploit kit types (each one has 10 samples) • 4 general steps • Obfuscation, Evasion , Exploiting vulnerabilities, Payload delivery # of Handled Evasions # of Handled Obfuscations J-Force J-Force WebEval WebEval Rozzle Rozzle Native Native 0 2 4 6 8 10 0 2 4 6 8 10 SweetOrange Magnitude Nuclear SweetOrange Magnitude Nuclear 17 Rig Angler Rig Angler

Experiment on Chrome Extensions • Crawled 12,123 extensions from Chrome Web Store • Simulated Chrome specific APIs • Two suspicious behaviors • Information leak • Ad-injection J-Force J-Force: 352 cases WebEval Others: less than 209 cases Expector Hulk 0 100 200 300 400 Information Leak Ad-Injection 18

Efficiency • Extracted 100 JavaScript samples from Alexa domain • Code Coverage J-Force: 95% coverage Concolic: less than 70% • Performance Overhead J-Force (L-path): 2-8 times J-Force (E-path): 2-300 times Concolic: 10-10,000 times 19

Conclusion • J-Force is a forced execution engine that explores all possible paths to expose hidden malware behaviors. • J-Force addresses technical challenges to avoid crash during continuous path exploration. • We validate the efficacy of J-Force through an extensive set of experiments on real-world examples. 20

Q & A • Thank you for listening! 21