TY - GEN
T1 - Semantics-preserving dissection of Javascript exploits via dynamic JS-binary analysis
AU - Hu, Xunchao
AU - Prakash, Aravind
AU - Wang, Jinghan
AU - Zhou, Rundong
AU - Cheng, Yao
AU - Yin, Heng
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - JavaScript exploits impose a severe threat to computer security. Once a zero-day exploit is captured, it is critical to quickly pinpoint the JavaScript statements that uniquely characterize the exploit and the payload location in the exploit. However, the current diagnosis techniques are inadequate because they approach the problem either from a JavaScript perspective and fail to account for “implicit” data flow invisible at JavaScript level, or from a binary execution perspective and fail to present the JavaScript level view of exploit. In this paper, we propose JScalpel, a framework to automatically bridge the semantic gap between the JavaScript level and binary level for dynamic JS-binary analysis. With this new technique, JScalpel can automatically pinpoint exploitation or payload injection component of JavaScript exploits and generate minimized exploit code and a Proof-of-Vulnerability (PoV). Using JScalpel, we analyze 15 JavaScript exploits, 9 memory corruption exploits from Metasploit, 4 exploits from 3 different exploit kits and 2 wild exploits and successfully recover the payload and a minimized exploit for each of the exploits.
AB - JavaScript exploits impose a severe threat to computer security. Once a zero-day exploit is captured, it is critical to quickly pinpoint the JavaScript statements that uniquely characterize the exploit and the payload location in the exploit. However, the current diagnosis techniques are inadequate because they approach the problem either from a JavaScript perspective and fail to account for “implicit” data flow invisible at JavaScript level, or from a binary execution perspective and fail to present the JavaScript level view of exploit. In this paper, we propose JScalpel, a framework to automatically bridge the semantic gap between the JavaScript level and binary level for dynamic JS-binary analysis. With this new technique, JScalpel can automatically pinpoint exploitation or payload injection component of JavaScript exploits and generate minimized exploit code and a Proof-of-Vulnerability (PoV). Using JScalpel, we analyze 15 JavaScript exploits, 9 memory corruption exploits from Metasploit, 4 exploits from 3 different exploit kits and 2 wild exploits and successfully recover the payload and a minimized exploit for each of the exploits.
KW - Exploit analysis
KW - Malicious JavaScript
UR - http://www.scopus.com/inward/record.url?scp=84988557247&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84988557247&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-45719-2_12
DO - 10.1007/978-3-319-45719-2_12
M3 - Conference contribution
AN - SCOPUS:84988557247
SN - 9783319457185
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 254
EP - 276
BT - Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings
A2 - Dacier, Marc
A2 - Monrose, Fabian
A2 - Blanc, Gregory
A2 - Garcia-Alfaro, Joaquin
PB - Springer Verlag
T2 - 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016
Y2 - 19 September 2016 through 21 September 2016
ER -