S3 Lab - Software & Systems Security Laboratory

J-Force: Forced Execution on JavaScript

Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu

Proceedings of the 26th International World Wide Web Conference (WWW) 2017.

Security, Program Analysis


Web-based malware equipped with stealthy cloaking and obfuscation techniques is becoming more sophisticated nowadays. In this paper, we propose J-Force, a crash-free forced JavaScript execution engine to systematically explore possible execution paths and reveal malicious behaviors in such malware. In particular, J-Force records branch outcomes and mutates them for further explorations. J-Force inspects function parameter values that may reveal malicious intentions and expose suspicious DOM injections. We addressed a number of technical challenges encountered. For instance, we keep track of missing objects and DOM elements, and create them on demand. To verify the efficacy of our techniques, we apply J-Force to detect Exploit Kit (EK) attacks and malicious Chrome extensions. We observe that J-Force is more effective compared to the existing tools.