J-Force: Forced Execution on JavaScript

Authors Chung Hwan Kim Dongyan Xu I Luk Kim Kyungtae Kim Xiangyu Zhang Yonghwi Kwon Yunhui Zheng

Plaintext

Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon,
Yunhui Zheng∗ , Xiangyu Zhang, Dongyan Xu
∗
Department of Computer Science, Purdue University, USA IBM T.J. Watson Research Center, USA
{kim1798, kim1634, chungkim, kwon58, xyzhang, dxu}@cs.purdue.edu zhengyu@us.ibm.com

ABSTRACT they can only cover one concrete execution path in one run and may
Web-based malware equipped with stealthy cloaking and obfusca- be unable to hit the spot that conceals malicious behaviors.
tion techniques is becoming more sophisticated nowadays. In this To address the limitations, symbolic and concolic execution based
paper, we propose J-F ORCE, a crash-free forced JavaScript exe- techniques [32, 31, 33] have also been proposed to analyze JavaScript
cution engine to systematically explore possible execution paths programs. While they can generate program inputs and drive the
and reveal malicious behaviors in such malware. In particular, J- execution along various feasible paths, due to the limitations of the
F ORCE records branch outcomes and mutates them for further ex- constraint solvers, overcoming state explosion and handling com-
plorations. J-F ORCE inspects function parameter values that may plex JavaScript operations (e.g., dynamic type conversions, arith-
reveal malicious intentions and expose suspicious DOM injections. metic/string operations) are still open problems, especially for non-
We addressed a number of technical challenges encountered. For trivial programs built atop various frameworks and other obfus-
instance, we keep track of missing objects and DOM elements, and cated programs.
create them on demand. To verify the efficacy of our techniques, In this paper, we propose J-F ORCE, a crash-free1 JavaScript forced
we apply J-F ORCE to detect Exploit Kit (EK) attacks and malicious execution engine. J-F ORCE combines the advantages of static and
Chrome extensions. We observe that J-F ORCE is more effective dynamic approaches: Similar to dynamic analysis, J-F ORCE exe-
compared to the existing tools. cutes the program so that obfuscation is not an obstacle anymore.
To increase the coverage, J-F ORCE forces the execution to go along
different paths. In particular, J-F ORCE records the outcomes of
Keywords branch predicates, mutates them, and explores unvisited paths via
JavaScript; Security; Malware; Evasion multiple executions. This iterative path exploration process con-
tinues until all possible paths are explored. Hence, J-F ORCE can
1. INTRODUCTION expose not only malicious code that can only be triggered by con-
Web-based applications powered by JavaScript are becoming more ditions uneasily met, but also code blocks that are dynamically cre-
widespread, interactive and powerful. In the meanwhile, they are ated and injected. Additionally, J-F ORCE further uncovers paths
attractive targets of various attacks. Unfortunately, detecting and hidden in event and exception handlers. J-F ORCE can detect eva-
analyzing malicious web apps against diverse combinations of ex- sive attacks triggered by non-deterministic events.
ploits and evasive techniques is complicated and challenging. Al- We evaluate J-F ORCE on 50 real-world exploits in popular EKs [1,
though various detection schemes have been proposed [14, 27, 13], 2] and over 12, 000 Chrome extensions. J-F ORCE successfully ex-
they still suffer from sophisticated attacks such as cloaking attacks [21, posed the hidden code of 41 exploits and found that more than 300
35, 22]. Chrome extensions inject advertisements. We also run J-F ORCE
Both static and dynamic approaches have been applied to detect on 100 JavaScript samples and measure its code coverage capacity.
JavaScript malware. Static analysis (e.g., [9, 8]) considers multiple The results show that J-F ORCE can cover 95% of the code with
execution paths and usually achieves better code coverage. How- 2-8x overhead, which is significantly effective than a popular con-
ever, JavaScript is highly dynamic. Static approach may be impre- colic execution technique (68% coverage, 10-10, 000x overhead).
cise and even incapable due to over-approximations and obfusca- In summary, this paper makes the following contributions.
tions. This is a critical limitation since obfuscations have been the • We propose J-F ORCE, a JavaScript forced execution engine
most common practice to hide the real intentions for protections or that explores all possible paths to expose hidden malware be-
malicious reasons. By contrast, dynamic analysis techniques (e.g., haviors. J-F ORCE records and switches branch outcomes to
[16, 32]) execute the program and thus can reveal concrete behav- explore new paths. J-F ORCE unveils function parameter val-
iors even in an obfuscated program. However, a downside is that ues to detect malicious intentions and DOM injection attacks.
• We address several technical challenges to avoid crashes dur-
ing the continuous path explorations. For instance, J-F ORCE
c 2017 International World Wide Web Conference Committee (IW3C2), keeps track of missing objects/DOM nodes and creates them
published under Creative Commons CC BY 4.0 License. on demand. J-F ORCE can tolerate critical exceptions and
WWW 2017, April 3–7, 2017, Perth, Australia. handle infinite loops/recursions.
ACM 978-1-4503-4913-0/17/04. • We validate the efficacy of J-F ORCE through an extensive set
http://dx.doi.org/10.1145/3038912.3052674 of experiments on real-world exploits and web browser ex-
1
In our paper, crash-free is about avoiding or handling JavaScript
. exceptions.
http://bbb.com/shop2.html http://ppp.org/abc.js obfuscated Timer handler
<html>
function FC3d(DzV, lm8H2) {
EDXGD= function() { J-Force Driver Object Management
…
<script> …
for(HPFY=0;DVz.length>HPFY;HPFY+=8)
… Internet ... d5+=String.fromCharCode(...)...return elem.appendChild(script);
</script> unescape(d5);} eval } Exec #1 Exception
… ... setTimeout(EDXGD, 10); Exec #2 Management
</html> lTZI04 = FC3d(VkpZF,MG6V);eval(lTZI04);
obfuscated
ieTrue = navigator.userAgent.toLowerCase() k=document[‘createElement’](‘script’) …
Exploit / browser = /msie[\/s]d+/i.test(ieTrue) …
Payload … k[‘text’]=S5SSQ(“AWFRMWtbFnshSQG DOM Management
if(browser) { IESFJaRB94ZxUBXVMbUeEVXXnddR9Q
... GmpXbR9aa....”);
e.insertBefore(a,b); ...
} d.appendChild(k);
http://ggg.net/opq.js

Figure 1: Stealthy Exploit Kit Attack.

tensions. J-F ORCE successfully disclosed the hidden code in
41 exploits and detected more than 300 ad-injecting exten-
sions. Also, we show that J-F ORCE can achieve 95% code Figure 2: Overview of J-F ORCE.
coverage and is 2-8x faster than the state-of-the-art on 100
1. <script>
JavaScript samples. 2. if (...) {
3. btn = document.createElement("button");
Our work focuses on understanding malicious code that is present 4. btn.id = "mybutton";
on the client, so server-side cloaking or evasion is out-of-scope. 5. btn.innerHTML = "Remove";
6. } else {
7. btn = document.createElement("button");
8. btn.id = "mybutton";
2. MOTIVATION 9.
10. }
btn.innerHTML = "Skip";

11. document.body.appendChild(btn);
Recently, Exploit Kits (EKs) have been favored by cybercrim- 12. </script>
inals to perform web-based attacks. In the last year alone, more 13.
14.
...
<script>
than 14 attacks were reported to CVE2 . Since EKs are specially 15. x = document.getElementById("mybutton");
16. if (...) {...}
designed to exploit known browser related defects, such attacks 17. if (...) {...}
are highly effective: once a vulnerable client reaches the actual 18. </script>

EK landing page, EK will silently download and install a malware. Figure 3: Example for per-block path exploration.
Therefore, as a defense, it is critical to identify suspicious EK de-
livery at the first place. Among various delivery vectors, malver-
tising [10, 37] is one of the most dangerous and successful deliv- it is challenging for such techniques to be scalable to complicated
ery approaches. In this section, we show a real-world EK deliv- and large real-world JavaScript programs due to the limitations im-
ery equipped with layered obfuscation and cloaking techniques to posed by the underlying constraint solvers.
demonstrate our approach. Unfortunately, as shown in Table 1, existing JavaScript malware
Fig. 1 presents a carefully designed multi-layer EK attack chain detection tools are not effective to detect such malware in a scalable
featured with collaborative cloaking techniques such as code obfus- way. In particular, while Rozzle [22] performs path explorations on
cation, dynamically created scripts and evasive paths: (1) The first JavaScript programs to reveal evasive malicious behaviors, it can-
obfuscated JS(JavaScript) snippet (http://ppp.org/abc.js) not disclose code in event handlers as its analysis scope is limited
is delivered to a legitimate website via malvertising. (2) When to functions that are explicitly invoked.
it is evaluated during the page loading, it creates a piece of dy-
J-F ORCE Overview. J-F ORCE employs a forced execution tech-
namic code from strings using eval. (3) The function EDXGD
nique by switching branch outcomes and invoking event handlers.
in the resulting snippet injects code for the next. Interestingly,
As shown in Fig. 2, J-F ORCE explores feasible paths and reveals all
EDXGD is injected as an event handler and can only be invoked
the instructions irrespective of branch conditions in multiple con-
when the timeout event is fired. Once evaluated, the second piece
crete executions. Also, event and exception handlers are forcibly
of obfuscated snippet (http://ggg.net/opq.js) will be in-
invoked without emulating the events. By doing so, J-F ORCE is
jected into the DOM tree and executed. (4) As a result, another
able to reach and expose malicious logic that can only be triggered
dynamic script is created and injected (d.appendChild(k)).
by a particular combination of events and inputs. Moreover, J-
(5) The injected code uses a cloaking method to hide the mali-
F ORCE is dynamic analysis. Hence, it can handle obfuscations and
cious payload: It first checks if the client browser can be the tar-
disclose concrete function parameter values, which could further
get (navigator.userAgent and msie). The hidden code is
reveal malware behaviors (e.g., identifying eval content).
executed only if the check result (browser) is true.
Existing Approaches. As two pieces of JavaScript (abc.js and
opq.js) in the chain are obfuscated, static analysis based detec- 3. DESIGN OF J-FORCE
tion mechanisms [14, 9, 28, 11] may have difficulties in under- In this section, we present the details of J-F ORCE. We first
standing the real semantics and thus are ineffective to handle such discuss the J-F ORCE execution model. Then we describe how J-
cases. Discovering the execution path that can reveal the final ex- F ORCE explores multiple execution paths.
ploit payload using dynamic approaches is also difficult. Particu-
larly, it requires invocations of event handlers and proper environ- 3.1 J-Force Execution Model
ment settings (e.g. IE browser), which are conditions not easily The execution model of J-F ORCE is designed based on the de-
met in general. Symbolic and concolic execution techniques [32, fault page rendering model.
31, 33] can be used to explore multiple feasible paths. However,
2
3.1.1 Per-block Exploration
CVE-2015-3090, CVE-2015-3105, CVE-2015-5122, CVE-2015-1671, CVE-2015-
5119, CVE-2015-5560, CVE-2015-7645, CVE-2015-8651, CVE-2015-8446, CVE- The default page rendering order drives the execution of J-F ORCE.
2016-1019, CVE-2016-1001, CVE-2016-0189, CVE-2016-0034, CVE-2016-4117 Once a <script> block is evaluated, J-F ORCE starts exploring
Table 1: The comparison of the approaches for JavaScript malware detection.
Obfuscation Path Explora- State Explo- Events Exceptions
Name Category Target Scope
Resilient tion Support sion Free Covered Covered
WebEval [18] Static & Dynamic Analysis X 7 X 7 7
Expector [37] Dyanamic Analysis X 7 X X 7 Chrome Extension
Hulk [20] Static & Dynamic Analysis X 7 X X 7
Revolver [21] Static & Dynamic Analysis X 7 X 7 7
JSAND [13] Dynamic Analysis X 7 X 7 7
Nozzle [27] Dynamic Analysis X 7 X 7 7 Generic
Zozzle [14] Static Analysis 7 7 N/A 7 7
Rozzle [22] Dynamic (Symbolic Value) X X 7 7 7
J-F ORCE Forced Execution X X X X X Generic

1. function __necdel()
all other possible paths within the block. In particular, when J- 2. {
F ORCE reaches the exit of the block, it goes back and explores 3. var script = document.createElement("script");
4. //...
another unvisited path. Consider the example in Fig. 3. J-F ORCE 5. script.src = "http: //xxx.xxxxxxx.net/";
6. var protocol = ("https:" == document.location.protocol: "http://");
explores the two paths in lines 1-12 before exploring the paths in 7.
the next <script> block in 14-18. 8. var head = document.getElementsByTagName("head")[0];
9. if ((protocol === "http://") && head)
An alternative is to consider all code blocks as one giant block 10. head.appendChild(script);
and explore paths in the “merged” block. However, it can hardly 11. }
12. window.addEventListener("mouseover", __necdel, false);
scale because the total number of paths to be explored is the product
of the path numbers in every individual block, whereas in the per- Figure 4: Code injection upon “mouseover” event.
block strategy it is the sum of the number of paths in every block.
Please note that an external JS script is essentially a single code
set of handlers can only be triggered by user and timer events. In
block and hence can be explored in a similar way.
our experience, JS malware extensively leverages event handling
mechanism to lay out the attack agenda. Fig. 4 shows a simplified
3.1.2 Handling Inter-Block Dependencies step in the malware delivery chain. __necdel() is registered as
One challenge brought by the per-block design is how to con- an event handler of mouseover event. The script for the next
sider the dependences across code blocks. For example, in Fig. 3, a step will not be injected unless the event is triggered. Indeed, we
same button is set with different texts (Remove and Skip) along observed many malicious payloads only get triggered by a series
different paths in lines 2-11. Without storing states along different carefully organized user or timer events to escape from being de-
execution paths, our analysis may miss critical states that may lead tected by honey-client systems or other automatic detection tools.
to malicious behavior. For instance, if we explore the path 7-9 af- Therefore, exploring event handlers is critical.
ter 2-5. “Remove” will be overwritten by “Skip” and becomes J-F ORCE remembers functions registered as event handlers and
invisible to blocks afterwards. forces them to be executed. In particular, after the exploration of
While exploring paths globally is the ideal solution, it is unscal- the current code block, handlers that are registered during explo-
able and impractical. Instead, we develop the following technique ration are executed, without requiring the triggering events. The
based on the observation that most inter-block dependences are individual handlers are considered as code blocks that are explored
caused by DOM objects. Since it is valid to have multiple ele- separately. To the best of our knowledge, most existing honey-
ments with the same name or id on the DOM tree, J-F ORCE allows client systems and JS symbolic execution engines (e.g, [31]) do not
any DOM injections along any paths. Also, J-F ORCE intercepts emulate events. Hence, they cannot reveal sophisticated handler-
relevant DOM APIs (e.g. getElementById) and injects choice related behaviors.
points, which are conceptually equivalent to switch-case state-
ments. So, each execution returns a DOM element (with the same 3.1.4 Handling Asynchronous Execution
id or name) until all such elements are explored. For example, in Currently, J-F ORCE does not focus on exposing race conditions
Fig. 3, both buttons will be appended to the DOM tree. It fur- caused by asynchronizations [29, 38]. In fact, most JS races are
ther inserts a choice point at line 15. As a result, totally 8 paths transient [24]. In our experience, we have not observed any real-
are explored in the second block, where 4 are corresponding to the world malicious attacks leveraging race conditions due to its non-
“Remove” button and the remaining 4 are for the “Skip” button. deterministic and unreliable nature.
In theory, dependencies caused by global variables are handled in J-F ORCE respects browser’s decision on which block runs first.
the same way. However, it is very expensive to do so for all global Note that JavaScript execution is single threaded and the execution
variables. Given our focuses are stealthy behaviors that are usu- of a code block cannot be interrupted. J-F ORCE only steps in when
ally based on string operations, we selectively support global string a block is being evaluated for the purpose of per-block code explo-
variables. Furthermore, J-F ORCE also overwrites container inter- ration.
faces (e.g., hashmap) to support inserting multiple strings with the
same key to a global container. String attributes of DOM objects 3.1.5 Handling Dynamic Code Evaluation
are handled similarly, where choice points are injected to access the JavaScript is highly dynamic. Malicious JS snippets can be dy-
different versions. namically created from strings. For example, a common practice is
to create a <script> element, specify its source and attach it to
3.1.3 Handling Event Handlers the DOM tree. eval() is another way to run dynamic code.
Some event handlers, such as onload, are automatically executed J-F ORCE admits all code injections found along different paths
when the corresponding DOM objects are loaded or created. The during the path exploration. Consequently, they will be explored
exploration is driven by the rendering procedure. However, another like other code on the DOM tree. Some code snippets may be added
1. obj = new XMLHttpRequest(); // D1 Line # Defines
to DOM elements that have already been rendered and explored by 2. //... 1 D1
3. if (cond)
J-F ORCE. For such cases, J-F ORCE restarts the rendering proce- 4. obj = null; // D2
2 D1
D1
3
dure but only explores the uncovered injected snippets. 5. if (obj == null) 4 D2
6. return; 5 D1 | D2
For code dynamically evaluated by functions like eval, J-F ORCE 7. obj.send(); 6 D1 | D2
explores the code snippet concealed in the function parameter, as a 7 D1 | D2

part of the parent code block exploration. Note that J-F ORCE pro- Execution #1 Execution #2 Value (obj)
vides versioning support for strings so that different but concrete 1. obj := XMLHttpRequest 1. obj := XMLHttpRequest 1. XMLHttpRequest
2. ---- 2. ---- 2. XMLHttpRequest
parameter values produced by previous logic will be explored. 3. (taken) 3. (taken) 3. XMLHttpRequest
4. obj := null 4. obj := null 4. null
5. (taken) 5. (untaken) 5. null
3.2 Path Exploration 6. return 6. ---- 6. null
7. ---- 7. obj.send (crash!) 7. null
J-F ORCE explores different paths in multiple runs. In each run,
Figure 5: Handling crashes caused by missing objects.
it looks for opportunities where mutating a predicate leads to un-
explored instructions. Once found, it forces the execution to cover plored instructions. At line 16, J-F ORCE starts the execution with
them in future iterations. It repeats this procedure until all instruc- no forced execution scheme and just runs the whole program nor-
tions are covered. We designed two exploration strategies depend- mally. The purpose of this step is to obtain a list of predicates on
ing on the needs. one path. Then, J-F ORCE can develop a new scheme by mutating
• L-path executes each instruction at least once with linear a predicate at line 22 to execute uncovered instructions (line 21).
time complexity. Exploring all distinct paths is not its prior- The driver repeats this until the worklist is empty, meaning that
ity. For JS malware analysis, this strategy is sufficient in most no further opportunities can be discovered. Although the explo-
cases as malicious behaviors are usually hidden in blocks. ration algorithm stems from L-path strategy, E-path takes the same
• E-path aims at exploring all possible execution paths with phase except at line 21. Particularly, at the given branch, instead of
exponential time complexity. We observed that only a few checking if its feasible targets are disclosed, E-path makes sure the
advanced malware examples requires the E-path strategy. branch is followed along with two different targets.

Algorithm 1 Path Exploration.
Input: I: JavaScript instructions in a program
4. CRASH-FREE FORCED EXECUTION
// σ is a list of forced predicates. A predicate p is represented as a tuple As J-F ORCE ignores path conditions, a program may execute
// (psrc , pdst ) that specifies the source src and forced target dst along an infeasible path and crash. In this section, we describe the
1: function F ORCED E XEC(σ) challenges and our solutions to avoid crashing.
2: σe ← [ ] // σe is a list of executed predicates
3: p ← P OP _ FRONT( σ )
4: for each i in I do 4.1 Missing Object
5: if i is a condition branch instruction then Fig. 5 shows a typical example of the crashes caused by missing
6: if isrc ≡ psrc then // isrc : source address of i
7: idst ← pdst // specify the instruction to be executed objects. At line 1, variable obj is initialized to an Ajax object.
8: p ← P OP _ FRONT( σ ) Suppose the true branches of the two predicates (line 3 and 5) are
9: else taken in the first run. Since line 7 is not explored, in the second run,
10: E ← E ∪ {idst }
11: σe ← σe · (isrc , idst )
the predicate at line 5 is mutated. However, as obj has been set to
12: Execute the instruction i null at line 4, the program will crash at line 7.
13: return σe To handle this, when resolving an object accessed, J-F ORCE first
14: function PATH E XPLORATION( ) identifies a set of candidates, which can be collected using an ex-
15: E ← {} // explored instructions isting data flow analysis. In addition, candidates without correct
16: W ← {F ORCED E XEC (nil)} // initial execution. W : worklist properties and types are filtered out. As shown in the defines table
17: while W 6= ∅ do
18: σ 0 ← P OP(W ) in Fig. 5, at line 7, D1 and D2 are possible objects to be accessed.
19: σt ← nil However, only D1 has the correct field send. Therefore, J-F ORCE
20: for each p in σ 0 do selects D1 and continues the forced execution.
21: if H AS A NY U NEXPLORED TARGET (E, p) then
22: σt0 ← σt · S WITCHING TARGET(p)
23: W ← W ∪ {F ORCED E XEC(σt0 )} 4.2 Handling Missing DOM Elements
24: else Another common kind of crashes in forced execution is caused
25: σt ← σt · p
by missing DOM elements. Our strategy is to create and insert
the missing ones to the DOM tree on demand. Note that simply
Algorithm 1 shows the details of the path exploration approach. creating a new DOM element on each access without appending it
Function F ORCED E XEC explains how to drive the execution to a to the right place will not work in practice. If multiple accesses to
desired branch. In particular, it takes a forced execution schema a same element yield different newly created objects, the program
σ as the input. σ is a list of tuple (psrc , pdst ), where psrc is the semantics will be violated. However, as DOM elements can be
address of a predicate p and pdst is the forced target. Intuitively, it selected in various ways (e.g., by id, XPath, etc.), the challenge lies
specifies the next step (pdst ) when J-F ORCE sees p. The logic of in how to put the new elements in the right place.
forced execution is specified in the loop starting at line 4 interpreted If the selection is by element id, name, tag and class, the solution
by JS engine. If a rerouting schema is provided for the current is straightforward. Particularly, as shown in Algorithm 2, if the el-
branching instruction i (line 6), J-F ORCE forces the execution to ement returned by the original selector is invalid (line 4), J-F ORCE
take the branch specified in the scheme at line 7. Otherwise, the creates a new one and inserts it to the children list of the current
instruction will be executed normally. element (line 8-9).
Function PATH E XPLORATION is the top-level driver. It main- Handling XPath selectors is more challenging. An XPath may be
tains a worklist W, which is a set of forced execution schemes. E fully specified (e.g., “/A/B/C” means C is an immediate child of
is a set of covered instructions. J-F ORCE uses it to discover unex- B and B is a child of A) or partially specified (e.g., “/A//C” means
1. if (window.attachEvent) { 1. if (...) {
2. window.attachEvent("onload", window["load" + initialize]); // ... 2. var script = document.createElement("script");
3. } else { 3. script.src = "http://.../a.js";
4. window.addEventListener("load", initialize, false); // ... 4. document.body.appendChild(script);
5. } 5. } else {
6. window.location = "http://.../b.html"; /* page redirection */
Figure 6: Browser-compatibility exception in forced execution. 7. }

Figure 7: An example of page redirections.
all C objects with an ancestor A). An XPath may also contain wild-
cards to select all elements satisfying the filtering conditions (e.g.,
“/A[@exchange]” selects A with attribute exchange). In a To avoid terminations due to such exceptions, J-F ORCE captures
forced run, an XPath selector may be partially broken due to miss- all unhandled exceptions using a top-level exception handler in the
ing elements. Consider selector “p · s”. The prefix p correctly global scope and resumes the interrupted execution from the near-
locate a DOM element. However, the suffix s fails because there est legacy function by unwinding the stack. In addition, to preserve
is no such elements. To handle this issue, J-F ORCE identifies the the semantics of the exception triggering statement, J-F ORCE in-
longest p that can locate a valid element o, creates element(s) cor- cludes a set of selective legacy APIs, which will be invoked based
responding to s and make them a subtree of o. on the context. For instance, in Fig. 6, the attachEvent is redi-
Function PathRecognizer() in Algorithm 2 describes the rected to the addEventListener so that the original program
procedure. Particularly, at line 13, an XPath p is split by delimiters semantics are preserved. Algorithm 3 explains the details:
(i.e., ‘/’ and ‘//’). Each delimited segment τ contains three parts: (a) Exceptions that can be handled by the original program: J-
(1) the delimiter τp (“”, “/” or “//”); (2) the id τe (e.g., A), and F ORCE remembers the triggering location (line 3) and then
(3) the filter τa (e.g., [@exchange]). explores the corresponding catch block. The code after the
If τp is “//”, GetOffSpring is invoked to identify the off- triggering point will be covered in a later iteration.
springs of the current object θ that matches τe and τa (line 22). (b) Uncaught exceptions due to missing handlers: They will be
Otherwise, GetChildren is called to get the direct children of taken care of by the top-level handler inserted by J-F ORCE
the current object that matches τe and τa (line 16). If no element is (lines 6,7-12).
found (line 19), a new element corresponding to τe and τa is cre- (c) Exception handlers present but no exception was triggered
ated as a child of θ (line 20). The above procedure continues until in one run. In our experience, a catch block is a high-
the original selector becomes valid. value target for exploration, as malware authors often place
An important design choice made is that the elements created their malicious code here for cloaking [22, 21]. These han-
during one (forced) run are retained for later executions. This avoids dlers hence should be explored regardless the exception oc-
creating duplicated elements in multiple executions and the DOM currences: J-F ORCE employs the same strategy for (a). J-
tree grows monotonically. In practice, we found the size of a DOM F ORCE remembers the block entry point and explores it later.
tree usually increases slowly and gradually becomes stable.
Algorithm 3 Exception Handling.
Algorithm 2 Handle missing DOM elements. 1: function E XCEPTION O CCURENCE(σ)
Input: σ ∈ {id, name, nametag , nameclass , XPath} 2: if I S C OUGHT (σ) then
1: function C HECK A ND I NSERTION(σ) 3: S AVE E XCEPTION L OC (σ)
2: E ← G ET E LEMENTS (σ) 4: return // Allow to run catch block
3: τ ← G ET C URRNET O BJECT () 5: else
4: if ¬ I S VALID (E) then 6: return T OP L EVEL H ANDLER (σ)
5: if σ ∈ XPath then
7: function T OP L EVEL H ANDLER(σ)
6: return PATH R ECOGNIZER (σ)
8: t ← F IND L EGACY F UNC (σ)
7: else
9: if I S VALID (t) then
8: τ .I NSERT (C REATE E LEMENT (σ))
10: return C ALL (t)
9: E ← G ET E LEMENTS (σ)
11: else
10: return E 12: return and allow to run the following.
11: function PATH R ECOGNIZER(p)
12: θ ← the current node
13: p0 ← PARTITION B Y D ELIMITER (p)
14: for each segment (τp , τe , τa ) in p0 do //τp :delimiter, τe :identifier, τa :filter 4.4 Page Redirection
15: if τp ≡ “//” then
16: E ← θ.G ET O FFSPRINGS (τe , τa ) Page redirections are commonly used to send visitors to a new
17: else /*τp ≡ ‘/’ ∨ τp is empty*/ destination by setting the location attribute of the window ob-
18: E ← θ.G ET C HILDREN (τe , τa ) ject in JavaScript. A page redirection cancels the current page
19: if ¬ I S VALID (E) then
20: θ.I NSERT (C REATE E LEMENT (τe , τa ))
rendering procedure (including the JavaScript execution and re-
21: E ← θ.G ET C HILDREN (τe , τa ) source downloading) and hence interrupts J-F ORCE’s code explo-
22: θ←E ration strategy (J-F ORCE explores paths in multiple runs).
23: return E Fig. 7 shows an example. The true branch of the if state-
ment injects a new <script> element while the else branch
redirects visitors to b.html. Consider the following forced exe-
4.3 Handling Exception cution. In the 1st run, the true branch is covered and a new piece
Being able to recover from crashes caused by exceptions is one of JavaScript in a.js will be downloaded and executed (lines 2-
of the most important features of J-F ORCE for robustness. As the 4). (a.js). As explained in the forced execution model, J-F ORCE
program may be forced to run on an infeasible path, various excep- explores the current code block before processing the next block.
tions may occur. For example, Fig. 6 shows a common practice to Hence, in the next iteration, it explores the else branch before ex-
make the program compatible with different browsers. J-F ORCE ecuting a.js. However, since the page redirection happens at line
will execute line 2 without considering its predicate and thus trig- 6, the forced execution will be interrupted so that a.js will not be
gers an exception. Since the corresponding handler is absent, the explored. In fact, if there are other uncovered paths/blocks in the
forced execution will be interrupted and terminated. same page, they will not be explored due to the page redirection.
# of # of samples whose obfuscations / evasions can be handled
Our solution is to load the target page in a separate frame so that Exploit Kits
samples Native run Rozzle [22] WebEval [18] J-F ORCE
J-F ORCE can continue exploring the current page. Since frames Angler 10 2/1 7/6 3/3 10 / 10
are isolated from each other, the effect of loading the destination RIG 10 5/0 7/2 5/0 10 / 10
page in a frame is functionally equivalent to a page redirection. In Nuclear 10 3/0 6/2 3/1 10 / 7
Magnitude 10 6/2 10 / 6 6/4 10 / 10
this particular example, J-F ORCE loads b.html in an iframe
SweetOrange 10 2/0 8/4 4/4 10 / 6
and thus is able to explore the behaviors in a.js.
Table 2: Comparing detection techniques on EKs.
4.5 Infinite Loop and Recursion
J-F ORCE may suffer from infinite loops or endless recursions # of Ad-injecting # of Info. leakage
because it ignores the loop and recursion conditions. To handle Total Ajax Script Injection Total Ajax Script Injection
this issue, we set an upper bound on the number of times a loop or Hulk [20] 195 29 166 14 9 5
Expector [37] 187 28 159 9 6 3
a recursive function can be invoked. For loops, J-F ORCE monitors WebEval [18] 158 15 143 8 5 3
the loop executions and makes sure that they do not go beyond J-F ORCE 322 45 277 30 21 9
the threshold. Otherwise, J-F ORCE forces the execution to skip the
loop. Similarly, for recursions, we use a threshold to limit recursion Table 3: The analysis result of 12,132 Chrome extensions.
depth. We make sure that whenever new stack frame is created, the
stack depth is smaller than the threshold.
number of the samples can be handled by each tool, in terms of ob-
fuscation handled and evasion passed. Since we know the ground
5. EVALUATION truth about deobfuscation, counting successful de-obfuscations is
J-F ORCE is implemented atop WebKit-r171233 with GTK+ port. straightforward. For evasions, if the exploitation entry point (e.g.
Our evaluation consists of two experiments. The first one is a sys- <object>) is reached, we say the evasion is detected.
tematic study on 50 EK samples and 12, 132 Chrome extensions The results show that J-F ORCE is able to handle more obfusca-
to see if J-F ORCE is able to detect (malicious) behaviors covered tions and evasions than others, hence can expose more hidden ma-
by sophisticated cloaking and obfuscation techniques. Also, since licious behaviors in EK attacks. In particular, J-F ORCE is signifi-
being able to explore more code is important, in the second exper- cantly effective in detecting evasions. While J-F ORCE outperforms
iment, we further quantify J-F ORCE’s performance by measuring other techniques, it misses a few evasions in Nuclear and SweetOr-
the coverage and the overhead on 100 real-world JavaScript pro- ange. We manually inspected these cases and found that they use
grams. All experiments are performed on a machine with an Intel Visual Basic (VB) scripts which are not currently supported by J-
Core i7 3.40 GHz CPU and 12 GB RAM running Ubuntu 14.04 F ORCE. However, our design is general and can be implemented
LTS. on VB scripts too.

5.1 Detecting Suspicious Hidden Behaviors 5.1.2 Detecting Ads Injections in Chrome Extensions
Browser extensions are commonly used nowadays to enhance
5.1.1 Detecting Obfuscations and Evasions in EKs user experience and thus becoming a target of adversaries. Several
We have collected 50 EK samples from various sources [1, 2], recent work [20, 18, 37] have been proposed to analyze extensions.
and classified them based on the underlying EKs, namely Angler, In this section, we show how J-F ORCE can effectively disclose sus-
RIG, Nuclear, Magnitude, SweetOrange. Although different, we picious behaviors in Chrome extensions.
observed they all share similar mechanisms listed as follows: We crawled and obtained 12,132 extensions from Chrome Web
• Obfuscation. Obfuscation conceals program functionalities Store [5] in July 2016. The analysis is done offline. As the JavaScript
using string operations to make detecting malware challeng- APIs used in extensions are slightly different from those in web
ing. In EK, obfuscation technique is used more than once applications, we enhance J-F ORCE to support such Chrome APIs
throughout multiple layers of code injection. (e.g., chrome.browserAction.onClicked). In this exper-
• Evasion. To minimize the possibility of being caught (e.g., iment, we are particularly interested in detecting ad-injections and
by honey-pot based approaches), EK only invokes the ma- information leaks. We also compare with recent work on Chrome
licious logic when it satisfies certain conditions. Specifi- extension analysis [20, 18, 37].
cally, EK usually scans visitors’ system (e.g. the signatures Table 3 summarizes the experiment results. J-F ORCE detected
of browsers, extensions, etc.) before moving on to the next 322 extensions that inject advertisement, where 277 deliver ad con-
stage. An example is shown in Fig. 1 in Sec. 2. tents using script injections and the remaining ones bring in ads via
• Exploiting Vulnerabilities. EK is designed to exploit partic- Ajax. Comparing to other techniques, J-F ORCE is able to find 195
ular vulnerabilities in browsers or add-ons by hijacking the more ad-injecting extensions, which confirms its effectiveness of
control flow and elevating permissions. The typical targets of handling cloaking and fingerprinting techniques. In addition, J-
such exploitation are Adobe Flash, MS Silverlight and Java F ORCE detected 30 extensions that send out sensitive information
runtime as well as browsers themselves. such as passwords and cookies via Ajax, while other techniques
• Payload Delivery. As the last step, a malicious binary is can detect at most 14 of them.
downloaded and executed without user’s consent. Ransomware [7] Table 4 presents the statistics of the Chrome extension execution
and click fraud [6] are two common examples. analysis. We report the minimum, average and maximum number
As J-F ORCE focuses on detecting malicious JavaScript behav- of JavaScript IR instructions, script injections, Ajax requests, eval
iors, only the JavaScript parts (obfuscation and evasion) are function invocations, event handlers and page redirections observed
included for evaluation. Analyzing non-JavaScript code, such as in exploring one extension. The results show that J-F ORCE can
exploiting vulnerabilities in the web browser or plug-ins, is beyond exercise more instructions and discover more behaviors than the
the scope of this paper. The results of experiments on 50 EK sam- native run. We also report the number of runs required by J-F ORCE
ples (10 for each EK type) are presented in Table 2. It shows the to cover all instructions (using the L-path search strategy explained
JavaScript IR Script Injections Ajax Eval Event Handlers Redirections Handled Crashes # of Runs
avg min max avg min max avg min max avg min max avg min max avg min max avg min max avg min max
J-F ORCE 1, 478 10 31, 248 0.71 0 28 0.21 0 5 0.27 0 10 1.57 0 19 0.15 0 5 2.74 0 117 11.32 1 609
Native run 406 10 14, 151 0.46 0 13 0.03 0 2 0.15 0 8 0.85 0 12 0.02 0 2 N/A N/A

Table 4: The statistics of Chrome extensions analysis

in Sec. 3.2). We show the number of potential crashes caused by ternal script included at line 1 must be blocked by an adblocker,
the forced execution. We observed 2.74 crashes per extension on which is highly dependent on the execution environment. If the
average and they are mostly caused by missing objects and DOM adblocker has not been configured correctly or the URL of the ex-
elements. All of them are handled correctly using the approach ternal resource is not on the blacklist anymore, dynamic analysis
discussed in Sec. 4. cannot unveil the stealthy operations either.
By contrast, J-F ORCE decouples the dependencies on the en-
5.1.3 Case Study - Anti-adblocker vironment and hence allows us to effectively and deterministically
Unlike traditional programs, web applications have various ex- observe unusual behaviors. On the left hand side of Fig. 8, we com-
ternal dependences. For example, they can navigate the execution pare the control flow graphs that highlight the differences between
depending on browsers environment settings. They can download J-F ORCE and dynamic analysis based approaches. J-F ORCE is able
and load different external JavaScript on the fly from third parties to explore both paths while the dynamic analysis only covers one
during executions. Therefore, although it is possible mutating in- path. As such, J-F ORCE is able to discover the real ads contents by
put values may change the execution paths, in general, it is highly forced execution without requiring complicated system settings to
nontrivial or even infeasible for an automatic exploration tool to actually trigger the logic in traditional dynamic approaches.
satisfy the triggering conditions of the execution environment and More importantly, through J-F ORCE, we can uncover the actual
third party scripts. In this case study, we showcase a real-world values of function parameters (the right side of Fig. 8) and track
anti-adblocker [4] to demonstrate how J-F ORCE bypasses sophisti- the origin of suspicious values. With such capabilities (especially
cated predicates and thus can be helpful for understanding stealthy the hidden contents that can only be obtained dynamically), it is
program behaviors. straightforward to conclude the ads are included in the image file.
Ad-blocker (e.g., [3]) is a piece of software that allows clients to
roam the web without encountering any Ads. In particular, it uti- 5.2 Efficiency
lizes network control and in-page manipulation to help users block As described in Sec. 3.2, J-F ORCE can be configured to im-
advertisements loaded from ad-network. As many content publish- prove coverage on instructions (the L-path strategy) or paths (the
ers make their primary legitimate income from Ads, there are grow- E-path strategy). To measure its efficiency, we extracted 100 exam-
ing demands for delivering ads even the ad-blockers are running in ples (from Alexa.com) and evaluate J-F ORCE on these real-world
client browsers. As a result, anti-adblockers have been developed JavaScript programs. We compare J-F ORCE with Jalangi, a con-
and deployed by publishers on their websites. Anti-adblockers are colic JavaScript execution engine [32], which is one of the closest
usually scripts delivered by publishers to detect if adblockers are alternate approaches available at present.
enabled in the client browsers. Once found, it either hides the con- Fig. 9 presents the code coverage comparison results. The num-
tent or delivers the ads by circumventing the ads filters. ber of branches of the benchmarks varies from 109 to 1, 200. In
Fig. 8 presents a simplified version of a popular anti-adblocker Fig.9, the JavaScript benchmarks on the X-axis are sorted by the
BlockAdblock [4], where the arrows denote important call edges. It branch count in ascending order. The result shows that, on aver-
first detects if an adblocker is enabled on the client-side and loads age, J-F ORCE is able to cover 95% of the code (the same result
the real ads contents that are delivered as an image. In particular, for both exploration strategies), which is significantly more than
line 1 includes an external script (“advertising.js”). If it can be Jalangi (less than 68%). We found that the main reason for the im-
successfully loaded, variable __haz will be set to false. If an provement is that the concolic execution based approach does not
adblocker presents, the script will not be blocked and the value of explore the code in event and timer handlers. In addition, Jalangi
__haz remains undefined. Therefore, BlockAdblock can tell if often fails to handle complex arithmetic operations such as division
an adblocker is running by checking the value of __haz. At line 4, and modulo. By contrast, J-F ORCE does not suffer from such lim-
it invokes function __ac() and defines the function to be invoked itation and is able to expand its analysis scope to event and excep-
for the next step. Depending on the presence of an adblocker, it will tion handlers. Besides, J-F ORCE does not miss conditional blocks
invoke a function (defined in lines 13-23) or do nothing. In function as our exploration technique is designed to cover both branches by
__dec, it loads an image, where its URL is specified at line 3 and switching branch outcomes. We also manually inspect the scenar-
further transformed at line 4. Interestingly, instead of displaying the ios where J-F ORCE fails to cover all instructions. We found that
image, it uses this image as a circumvention of ad-blocking rules this is mainly due to coding errors in the sample JavaScript pro-
and loads the raw data of the images. At line 21, function __cb grams.
is invoked, which creates a div element and displays the HTML Beside the coverage, we also measure the runtime performance
hidden in the image at line 27. of J-F ORCE. Fig. 10 summarizes the comparison result of the over-
It is highly nontrivial for static analysis based approaches to pre- heads collected during the coverage test. For each approach, the
cisely analyze such complicated call relations, as it requires ad- overhead is normalized to the native run. The result shows that the
vanced alias and string analysis (e.g., the operations in line 4 and overhead of J-F ORCE is 2-8x (2-300x for E-path) whereas Jalangi
20). More importantly, as the ads contents are actually hidden in has much higher overhead 10-10, 000x. Observe that such a differ-
an image, they may not even be in the analysis scope. As a result, it ence is caused by the fact that concolic execution based approaches
is very unlikely that the static analysis can handle such cases. An- may not scale well with the number of branches, showing expo-
other option is to actually run the program. However, one important nentially increasing overhead. Particularly, generating and solving
triggering condition of the secret loading procedure is that the ex- path constraints is more expensive than mutating branch outcomes.
J-Force 1 <script src=“http://.../advertising.js” ..></script> // “var __haz = false;”
2 ... 24 __cb = function (s) {
if (typeof …) 25 …
3 __durl = ‘//.../hallon-p12065a-:r:.gif’;
4 __ac(function(){ __dec(__durl.replace(“:r:”, __s(5, 12)), __cb); 26 _new = d.createElement(‘div’);
return f(); 5 }); 27 _new.innerHTML = s.html;
… 28 k.insertBefore(_new, k);
… 6 function __ac(f) { 13 function __dec(src, callback) { 29 …
7 … 14 i = new Image();
8 if (typeof __haz === ‘undefined’) 15 i.onload = function() {
Native 9 return f(); 16 …
exec 10 ... 17 t.drawImage(i, 0, 0); J-Force
if (typeof …)
11 return; 18 b = __p24(t.getImageData(...).data);
19 for (...) callback(s)
12 }
return f(); 20 if (b[x]) s+= str.fromCharCode(b[x]); s: “..html: <div class=\fram
\></div>\n<divclass=\k3rwp
21 callback(s);
j9jwhynv\>\n<div class=\gb
… 22 } qfwapg\>\n<span class=\g
23 i.src = src; bqfwaabemdey ….</div>”

Figure 8: Analyzing Anti-Adblocker using J-F ORCE.

100
support dynamic nature and scale to real-world applications built
J-Force Native atop various JavaScript frameworks.
80 Concolic
Coverage (%)

JavaScript Malware. EVILSEED [17] leverages characteristics of
60
known malicious web pages to discover other likely malicious web
100
40 pages including JavaScript. Revolver [21] aims to find JavaScript
J-Force Native
2080 Concolic malware based on code similarity. In particular, it tries to classify
Coverage (%)

060
evasive malware by comparing with a large amount of JavaScript
0 20 40 60 80 100
40 JS files
collected in advance. It heavily resorts to the result of pre-classification
by oracle, and may not be robust against newly crafted malware
200020
Figure 9: Coverage
Concolic of J-F ORCE in comparison with native run (e.g., zero-day exploit). MineSpider [34] extracts URLs from JS
J-Force(L-path)
Overhead (times)

and concolic
0
1500 0
execution.
20
J-Force(E-path) 40 60 80 100 snippets equipped with evasion techniques that performs drive-by
JS files
download attacks. It collects execution paths relevant to redirec-
1000
2000
Concolic tions using program slicing methods. While it is useful to track
J-Force(L-path)
page redirections, it is not able to handle the dynamic remote code
Overhead (times)

500
1500 J-Force(E-path)
injection using iframe or simple <script> tag. Lekies et al. [23]
0
1000 show attack methods enabled by the object scoping and dynamic
0 20 40 60 80 100
JS files nature of JavaScript. They investigate a set of high-ranked do-
500
mains and verify that those are vulnerable to Cross-Site Script In-
0
0 20 40 60 80 100
clusion(XSSI) attacks. ScriptInspector [39] examines third-party
JS files script injection to restrict accesses to critical resources. This is
Figure 10: Performance overhead of J-F ORCE in comparison achieved by allowing site administrators to establish their own se-
with concolic execution. curity policies. WebCapsule [25] records and replays web contents
executions for forensic analysis. It records and all non-deterministic
inputs to the core web rendering engine including user interactions.
6. RELATED WORK RAIL [12] can verify security patches of web applications by rerun-
Multiple Path Execution. The concept of forced execution was ning patched web applications with previous buggy inducing inputs
employed in previous researches [26, 15, 36, 19]. Although the such as exploits. The system can tolerate state divergences caused
concept has been applied in various domains, such as native binary by the patches. Unlike the record and replay approaches, J-Force
programs [26], mobile apps [15, 19], and identifying kernel rootk- explores all possible paths to reveal evasive malicious logics which
its [36], our work is the first to propose the forced execution en- are difficult to expose.
gine for JavaScript to the best of our knowledge. Furthermore, the Browser Extensions. Hulk [20] analyzes Chrome browser exten-
challenges that J-F ORCE solves, such as handling missing object- sions and detects malicious (or suspicious) behaviors, such as ad-
s/DOM, handling event/exception handlers and more (Sec. 4) are injecting and information leak. Expector [37] tries to figure out
unique to JavaScript and are not proposed (or solved) by previous the correlation between malvertising and plug-ins. It shows that,
work. Rozzle [22] also places emphasis on analyzing self-revealing in a condition where a specific extension is working, malvertising
program behaviors. It explores multiple execution paths with sin- is more likely to appear. WebEval [18] inspects Chrome exten-
gle execution. However, it is done via a different approach which sions upon the combination of static and dynamic analysis. In order
is based on symbolic values. More importantly, they have limited to trigger malicious activities, it sets up simulations by recording
support for program faults and exceptions handling. By contrast, complex interactions between web pages and network events. Ob-
our tool can explore all feasible paths without being interrupted by serve that though such techniques have their own way to increase
exceptions. Symbolic (or concolic) execution has been applied to coverage and unveil hidden malicious actions, it would not be suf-
analyze JavaScript based Web applications [32, 31, 33]. Due to ficient to induce all possible behaviors.
the limitations in underlying constraint solvers, it is challenging to
7. DISCUSSION applications with retroactive auditing. In OSDI, pages
As our solution aims to expose malware hidden under a certain 555–569, 2014.
program path, detecting data driven attacks is still challenging. Al- [13] M. Cova, C. Kruegel, and G. Vigna. Detection and analysis
though diverting control flow by the forced execution occasionally of drive-by-download attacks and malicious javascript code.
breaks the program semantics, due to the stealthy pattern and con- In Proceedings of the 19th international conference on World
ditional nature of the hidden code, we are confident that J-F ORCE wide web, pages 281–290. ACM, 2010.
is able to disclose most of evasive malware in the wild. Since J- [14] C. Curtsinger, B. Livshits, B. G. Zorn, and C. Seifert. Zozzle:
F ORCE is currently designed to detect client-side JavaScript mal- Fast and precise in-browser javascript malware detection. In
ware, handling cloaking schemes in the server-side scripts (e.g. USENIX Security Symposium, pages 33–48, 2011.
SQL, PHP, etc. [30]) is beyond the scope of this paper. [15] Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu. iris:
Vetting private api abuse in ios applications. In Proceedings
8. CONCLUSION of the 22nd ACM SIGSAC Conference on Computer and
Communications Security, pages 44–56. ACM, 2015.
In this paper, we proposed J-F ORCE, a forced execution engine
for JavaScript to expose hidden and even malicious program behav- [16] L. Gong, M. Pradel, M. Sridharan, and K. Sen. Dlint:
iors. J-F ORCE explores all possible execution paths by mutating Dynamically checking bad coding practices in javascript. In
the outcomes of branch predicates. We solved multiple technical Proceedings of the 2015 International Symposium on
challenges and make J-F ORCE a practical, robust and crash-free Software Testing and Analysis, pages 94–105. ACM, 2015.
tool. We validate the efficacy of J-F ORCE through an extensive set [17] L. Invernizzi and P. M. Comparetti. Evilseed: A guided
of experiments. J-F ORCE has been evaluated on 50 exploits of pop- approach to finding malicious web pages. In Security and
ular exploit kits and more than 12, 000 Chrome extensions. It suc- Privacy (SP), 2012 IEEE Symposium on, pages 428–442.
cessfully unveiled the hidden code in 41 exploits and detected more IEEE, 2012.
than 300 Chrome extensions injecting advertisements. The exper- [18] N. Jagpal, E. Dingle, J.-P. Gravel, P. Mavrommatis,
iments on 100 real-world JavaScript samples show that J-F ORCE N. Provos, M. A. Rajab, and K. Thomas. Trends and lessons
is able to achieve 95% code coverage and perform 2-8x better than from three years fighting malicious extensions. In 24th
existing approaches. USENIX Security Symposium (USENIX Security 15), pages
579–593, 2015.
9. ACKNOWLEDGMENTS [19] R. Johnson and A. Stavrou. Forced-path execution for
android applications on x86 platforms. In Software Security
We thank the anonymous reviewers for their constructive com- and Reliability-Companion (SERE-C), 2013 IEEE 7th
ments. This research was supported, in part, by DARPA under con- International Conference on, pages 188–197. IEEE, 2013.
tract FA8650-15-C-7562, NSF under awards 1409668, 1320444,
[20] A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna,
and 1320306, ONR under contract N000141410468, and Cisco
and V. Paxson. Hulk: Eliciting malicious behavior in browser
Systems under an unrestricted gift. Any opinions, findings, and
extensions. In Proceedings of the 23rd Usenix Security
conclusions in this paper are those of the authors only and do not
Symposium, 2014.
necessarily reflect the views of our sponsors.
[21] A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and
G. Vigna. Revolver: An automated approach to the detection
10. REFERENCES of evasive web-based malware. In USENIX Security, pages
[1] http://malware.dontneedcoffee.com. 637–652. Citeseer, 2013.
[2] http://http://malware-traffic-analysis.net. [22] C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle:
[3] Adblock plus. https://adblockplus.org. De-cloaking internet malware. In Security and Privacy (SP),
[4] Blockadblock. http://blockadblock.com. 2012 IEEE Symposium on, pages 443–457. IEEE, 2012.
[5] Chrome Web Store. https://chrome.google.com/webstore. [23] S. Lekies, B. Stock, M. Wentzel, and M. Johns. The
[6] Clickfraud. http://digitalmarketingmagazine.co.uk/digital- unexpected dangers of dynamic javascript. In 24th USENIX
marketing-advertising/the-crooks-willing-to-put-you-out-of- Security Symposium (USENIX Security 15), pages 723–735,
business-for-5/1740. Washington, D.C., Aug. 2015. USENIX Association.
[7] Cryptolocker: What is and how to avoid it. [24] E. Mutlu, S. Tasiran, and B. Livshits. Detecting javascript
http://www.pandasecurity.com/mediacenter/malware/cryptolocker/. races that matter. In Proceedings of the 2015 10th Joint
[8] JSHint. http://jshint.com. Meeting on Foundations of Software Engineering,
ESEC/FSE 2015, pages 381–392, New York, NY, USA,
[9] JSLint. http://www.jslint.com.
2015. ACM.
[10] Malvertising, Exploit Kits, ClickFraud & Ransomware: A
[25] C. Neasbitt, B. Li, R. Perdisci, L. Lu, K. Singh, and K. Li.
Thriving Underground Economy.
Webcapsule: Towards a lightweight forensic engine for web
https://www.zscaler.com/blogs/research/malvertising-
browsers. In Proceedings of the 22nd ACM SIGSAC
exploit-kits-clickfraud-ransomware-thriving-underground-
Conference on Computer and Communications Security,
economy.
pages 133–145. ACM, 2015.
[11] Y. Cao, X. Pan, Y. Chen, and J. Zhuge. Jshield: towards
[26] F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su.
real-time and vulnerability-based detection of polluted
X-force: Force-executing binary programs for security
drive-by download attacks. In Proceedings of the 30th
applications. In Proceedings of the 2014 USENIX Security
Annual Computer Security Applications Conference, pages
Symposium, San Diego, CA (August 2014), 2014.
466–475. ACM, 2014.
[27] P. Ratanaworabhan, V. B. Livshits, and B. G. Zorn. Nozzle:
[12] H. Chen, T. Kim, X. Wang, N. Zeldovich, and M. F.
A defense against heap-spraying code injection attacks. In
Kaashoek. Identifying information disclosure in web
USENIX Security Symposium, pages 169–186, 2009.
[28] V. Raychev, M. Vechev, and A. Krause. Predicting program drive-by download attacks. In Computer Software and
properties from big code. In ACM SIGPLAN Notices, Applications Conference (COMPSAC), 2015 IEEE 39th
volume 50, pages 111–124. ACM, 2015. Annual, volume 2, pages 444–449. IEEE, 2015.
[29] V. Raychev, M. Vechev, and M. Sridharan. Effective race [35] D. Y. Wang, S. Savage, and G. M. Voelker. Cloak and
detection for event-driven programs. In ACM SIGPLAN dagger: dynamics of web search cloaking. In Proceedings of
Notices, volume 48, pages 151–166. ACM, 2013. the 18th ACM conference on Computer and communications
[30] K. Sadalkar, R. Mohandas, and A. R. Pais. Model based security, pages 477–490. ACM, 2011.
hybrid approach to prevent sql injection attacks in php. In [36] J. Wilhelm and T.-c. Chiueh. A forced sampled execution
Security Aspects in Information Technology, pages 3–15. approach to kernel rootkit identification. In International
Springer, 2011. Workshop on Recent Advances in Intrusion Detection, pages
[31] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and 219–235. Springer, 2007.
D. Song. A symbolic execution framework for javascript. In [37] X. Xing, W. Meng, B. Lee, U. Weinsberg, A. Sheth,
Security and Privacy (SP), 2010 IEEE Symposium on, pages R. Perdisci, and W. Lee. Understanding malvertising through
513–528. IEEE, 2010. ad-injecting browser extensions. In Proceedings of the 24th
[32] K. Sen, S. Kalasapur, T. Brutch, and S. Gibbs. Jalangi: A International Conference on World Wide Web, pages
selective record-replay and dynamic analysis framework for 1286–1295. International World Wide Web Conferences
javascript. In Proceedings of the 2013 9th Joint Meeting on Steering Committee, 2015.
Foundations of Software Engineering, pages 488–498. ACM, [38] Y. Zheng, T. Bao, and X. Zhang. Statically locating web
2013. application bugs caused by asynchronous calls. In
[33] K. Sen, G. Necula, L. Gong, and W. Choi. Multise: Proceedings of the 20th international conference on World
Multi-path symbolic execution using value summaries. In wide web, pages 805–814. ACM, 2011.
Proceedings of the 2015 10th Joint Meeting on Foundations [39] Y. Zhou and D. Evans. Understanding and monitoring
of Software Engineering, pages 842–853. ACM, 2015. embedded web scripts. In Security and Privacy (SP), 2015
[34] Y. Takata, M. Akiyama, T. Yagi, T. Hariu, and S. Goto. IEEE Symposium on, pages 850–865. IEEE, 2015.
Minespider: Extracting urls from environment-dependent