Abstract:Abstract. JavaScript (JS) based shellcode injections are among the most dangerous attacks to computer systems. Existing approaches have various limitations in detecting such attacks. In this paper, we propose a new detection methodology that overcomes these limitations by fully using JS code execution environment information. We leverage this information and create a virtual execution environment where shellcodes' real behavior can be precisely monitored and detection redundancy can be reduced. Following this … Show more
“…In static detecting methods, input data are first disassembled and then screened via code level pattern analysis and matching. Patterns can be complicated signatures or simple heuristics that are obtained from studying known malicious codes [9]. Although static detecting method is fast, it could not detect the unknown ShellCode and detect the ShellCode's behavior in detail.…”
Section: Static and Dynamic Shellcode Detecting Methodsmentioning
confidence: 99%
“…Dynamic detecting methods detect malicious ShellCode by using information generated during ShellCode execution [9]. In dynamic detecting methods, instructions are analyzed when the code actually executes, dynamic methods are immune to obfuscation attempts and self-modifying programs [10].…”
Section: Static and Dynamic Shellcode Detecting Methodsmentioning
ShellCode injections with malicious JavaScript code in documents are becoming more prevalent and dangerous. However, the existing methods have some limitations in detecting this kind of attacks. In this article, we explore the detections of malicious documents and propose an approach of detecting malicious documents that contains JavaScript ShellCode. In our approach, we provide an impact factor which represents the reliability of the document being malicious. We use both static detections and dynamic detections and then combine the results of the two different methods. Therefore, we can get an acceptable overhead and make the detection immune to obfuscation. We have implemented a proof-of-concept prototype of the detection system on a Linux platform. We also have evaluated the accuracy and the performance overhead on the test platform. The results show that the system reports very few faults with an acceptable overhead.
“…In static detecting methods, input data are first disassembled and then screened via code level pattern analysis and matching. Patterns can be complicated signatures or simple heuristics that are obtained from studying known malicious codes [9]. Although static detecting method is fast, it could not detect the unknown ShellCode and detect the ShellCode's behavior in detail.…”
Section: Static and Dynamic Shellcode Detecting Methodsmentioning
confidence: 99%
“…Dynamic detecting methods detect malicious ShellCode by using information generated during ShellCode execution [9]. In dynamic detecting methods, instructions are analyzed when the code actually executes, dynamic methods are immune to obfuscation attempts and self-modifying programs [10].…”
Section: Static and Dynamic Shellcode Detecting Methodsmentioning
ShellCode injections with malicious JavaScript code in documents are becoming more prevalent and dangerous. However, the existing methods have some limitations in detecting this kind of attacks. In this article, we explore the detections of malicious documents and propose an approach of detecting malicious documents that contains JavaScript ShellCode. In our approach, we provide an impact factor which represents the reliability of the document being malicious. We use both static detections and dynamic detections and then combine the results of the two different methods. Therefore, we can get an acceptable overhead and make the detection immune to obfuscation. We have implemented a proof-of-concept prototype of the detection system on a Linux platform. We also have evaluated the accuracy and the performance overhead on the test platform. The results show that the system reports very few faults with an acceptable overhead.
“…To de-obfuscate malicious JavaScript code, Gen et al [29] simplify the obfuscated JavaScript code by preserving the semantics of the observational equivalence. JSGuard [21] proposed a methodology to detect JavaScript shellcode that fully uses JavaScript code execution environment information with low false negative and false positive. Liu et al [28] propose a context-aware approach for detection and confinement of malicious JavaScript in PDF by inserting context monitoring code into a document.…”
Section: Related Workmentioning
confidence: 99%
“…In recent years, a number of techniques [17], [29], [22], [21], [26], [35], [18], [25], [16] have been proposed to detect malicious JavaScript code. Due to the dynamic features of the JavaScript language, static analysis [20], [27], [38], [18] can be easily evaded using obfuscation techniques [46].…”
The drastic increase of JavaScript exploitation attacks has led to a strong interest in developing techniques to enable malicious JavaScript analysis. Existing analysis techniques fall into two general categories: static analysis and dynamic analysis. Static analysis tends to produce inaccurate results (both false positive and false negative) and is vulnerable to a wide series of obfuscation techniques. Thus, dynamic analysis is constantly gaining popularity for exposing the typical features of malicious JavaScript. However, existing dynamic analysis techniques possess limitations such as limited code coverage and incomplete environment setup, leaving a broad attack surface for evading the detection. To overcome these limitations, we present the design and implementation of a novel JavaScript forced execution engine named JSForce which drives an arbitrary JavaScript snippet to execute along different paths without any input or environment setup. We evaluate JSForce using 220,587 HTML and 23,509 PDF realworld samples. Experimental results show that by adopting our forced execution engine, the malicious JavaScript detection rate can be substantially boosted by 206.29% using same detection policy without any noticeable false positive increase. We also make JSForce publicly available as an online service and will release the source code to the security community upon the acceptance for publication.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.