Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage

Proceedings of the ACM Internet Measurement Conference Pub Date : 2020-10-27 DOI:10.1145/3419394.3423616

Shaown Sarker, Jordan Jueckstock, A. Kapravelos

{"title":"Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage","authors":"Shaown Sarker, Jordan Jueckstock, A. Kapravelos","doi":"10.1145/3419394.3423616","DOIUrl":null,"url":null,"abstract":"In this paper, we perform a large-scale measurement study of JavaScript obfuscation of browser APIs in the wild. We rely on a simple, but powerful observation: if dynamic analysis of a script's behavior (specifically, how it interacts with browser APIs) reveals browser API feature usage that cannot be reconciled with static analysis of the script's source code, then that behavior is obfuscated. To quantify and test this observation, we create a hybrid analysis platform using instrumented Chromium to log all browser API accesses by the scripts executed when a user visits a page. We filter the API access traces from our dynamic analysis through a static analysis tool that we developed in order to quantify how much and what kind of functionality is hidden on the web. When applying this methodology across the Alexa top 100k domains, we discover that 95.90% of the domains we successfully visited contain at least one script which invokes APIs that cannot be resolved from static analysis. We observe that eval is no longer the prominent obfuscation method on the web and we uncover families of novel obfuscation techniques that no longer rely on the use of eval.","PeriodicalId":255324,"journal":{"name":"Proceedings of the ACM Internet Measurement Conference","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ACM Internet Measurement Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3419394.3423616","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

In this paper, we perform a large-scale measurement study of JavaScript obfuscation of browser APIs in the wild. We rely on a simple, but powerful observation: if dynamic analysis of a script's behavior (specifically, how it interacts with browser APIs) reveals browser API feature usage that cannot be reconciled with static analysis of the script's source code, then that behavior is obfuscated. To quantify and test this observation, we create a hybrid analysis platform using instrumented Chromium to log all browser API accesses by the scripts executed when a user visits a page. We filter the API access traces from our dynamic analysis through a static analysis tool that we developed in order to quantify how much and what kind of functionality is hidden on the web. When applying this methodology across the Alexa top 100k domains, we discover that 95.90% of the domains we successfully visited contain at least one script which invokes APIs that cannot be resolved from static analysis. We observe that eval is no longer the prominent obfuscation method on the web and we uncover families of novel obfuscation techniques that no longer rely on the use of eval.

查看原文本刊更多论文

隐藏在普通站点:通过隐藏浏览器API使用检测JavaScript混淆

在本文中，我们对浏览器api的JavaScript混淆进行了大规模的测量研究。我们依赖于一个简单但强大的观察:如果对脚本行为的动态分析(特别是它如何与浏览器API交互)揭示了浏览器API特性的使用不能与脚本源代码的静态分析相协调，那么该行为就被混淆了。为了量化和测试这一观察结果，我们使用工具化的Chromium创建了一个混合分析平台，通过用户访问页面时执行的脚本记录所有浏览器API访问。我们通过我们开发的静态分析工具从动态分析中过滤API访问跟踪，以便量化网络上隐藏了多少和什么样的功能。当在Alexa前10万域名中应用此方法时，我们发现我们成功访问的95.90%的域名至少包含一个脚本，该脚本调用了无法从静态分析中解析的api。我们观察到eval不再是网络上突出的混淆方法，我们发现了新的混淆技术家族，不再依赖于eval的使用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the ACM Internet Measurement Conference

自引率

0.00%

发文量