S3 Lab - Software & Systems Security Laboratory

J-Force: Forced Execution on JavaScript

Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu

Proceedings of the 26th International World Wide Web Conference (WWW) 2017.

areas
Security, Program Analysis

abstract

Web-based malware equipped with stealthy cloaking and obfuscation techniques is becoming more sophisticated nowadays. In this paper, we propose J-Force, a crash-free forced JavaScript execution engine to systematically explore possible execution paths and reveal malicious behaviors in such malware. In particular, J-Force records branch outcomes and mutates them for further explorations. J-Force inspects function parameter values that may reveal malicious intentions and expose suspicious DOM injections. We addressed a number of technical challenges encountered. For instance, we keep track of missing objects and DOM elements, and create them on demand. To verify the efficacy of our techniques, we apply J-Force to detect Exploit Kit (EK) attacks and malicious Chrome extensions. We observe that J-Force is more effective compared to the existing tools.