Skip to main content
SpringerLink
Log in

JSGuard: Shellcode Detection in JavaScript

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2012)

Abstract

JavaScript (JS) based shellcode injections are among the most dangerous attacks to computer systems. Existing approaches have various limitations in detecting such attacks. In this paper, we propose a new detection methodology that overcomes these limitations by fully using JS code execution environment information. We leverage this information and create a virtual execution environment where shellcodes’ real behavior can be precisely monitored and detection redundancy can be reduced. Following this methodology, we implement JSGuard, a prototype malicious JS code detection system in Debian Linux with kernel version 2.6.26. Our extensive experiments show that JSGuard reports very few false positives and false negatives with acceptable overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexa Top Sites, http://www.alexa.com/topsites

  2. Bania, P.: TAPiON (2005), http://pb.specialised.info/all/tapion/

  3. Baratloo, A., Singh, N., Tsai, T.: Transparent Run-Time Defense Against Stack Smashing Attacks. In: USENIX Annual Technical Conf. (2000)

    Google Scholar 

  4. Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanović, D., Zovi, D.D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: CCS (2003)

    Google Scholar 

  5. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic Analysis of Malicious Code. Journal of Computer Virology (2006)

    Google Scholar 

  6. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. USENIX Security (2003)

    Google Scholar 

  7. Bhatkar, S., Sekar, R.: Data Space Randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  8. Bouch, A., Kuchinsky, A., Bhatti, N.: Quality is in the Eye of the Beholder: Meeting Users’ Requirements for Internet Quality of Service. In: CHI (2000)

    Google Scholar 

  9. Canali, D., Cova, M., Kruegel, C., Vigna, G.: Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages. In: WWW (March 2011)

    Google Scholar 

  10. Chenette, S.: Toorconx the ultimate deobfuscator (2008), http://www.toorcon.org/tcx/26_Chenette.pdf

  11. Chinchani, R., van den Berg, E.: A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  12. Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. USENIX Security (2003)

    Google Scholar 

  13. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. IEEE S&P (2005)

    Google Scholar 

  14. Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: WWW (2010)

    Google Scholar 

  15. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Fast and Precise In-Browser JavaScript Malware Detection. USENIX Security (2011)

    Google Scholar 

  16. Detristan, T., Ulenspiegel, T., Malcom, Y., van Underduk, M.S.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003), http://www.phrack.org

  17. Ding, Y., Wei, T., Wang, T., Liang, Z., Zou, W.: Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks. In: ACSAC (2010)

    Google Scholar 

  18. Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. Feinstein, B., Peck, D.: Caffeine Monkey, http://www.secureworks.com/research/blog/wp-content/uploads/CaffeineMonkey_DEFCON15.pdf

  20. Fogie, S., Grossman, J., Hansen, R., Rager, A.: XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress (May 2007)

    Google Scholar 

  21. Frei, S., Duebendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. In: DefCon 16 (August 2008)

    Google Scholar 

  22. Gadaleta, F., Younan, Y., Joosen, W.: BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 1–17. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  23. Gu, B., Bai, X., Yang, Z., Champion, A.C., Xuan, D.: Malicious Shellcode Detection with Virtual Memory Snapshots. In: INFOCOM, pp. 974–982 (2010)

    Google Scholar 

  24. Ionescu, C.: GetPC code, http://securityfocus.com/archive/82/327348/2006-01-03/1

  25. Kc, G.S., Keromytis, A.D.: e-nexsh: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing. In: ACSAC (2005)

    Google Scholar 

  26. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: CCS (2003)

    Google Scholar 

  27. Lakhotia, A., Eric, U.: Stack Shape Analysis to Detect Obfuscated Calls in Binaries. In: IEEE Int’l. Conf. on Source Code Analysis and Manipulation (2004)

    Google Scholar 

  28. libemu, http://libemu.carnivore.it/

  29. Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. In: CCS (2010)

    Google Scholar 

  30. Macaulay, S.: ADMMutate: Polymorphic Shellcode Engine, http://www.ktwo.ca/security.html

  31. Mason, J., Small, S., Monrose, F., MacManus, G.: English Shellcode. In: CCS (2009)

    Google Scholar 

  32. Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.A.: Exploiting Execution Context for the Detection of Anomalous System Calls. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 1–20. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  33. Nah, F.F.-H.: A Study on Tolerable Waiting Time: How Long are Web Users Willing to Wait? Behaviour & IT 23(3), 153–163 (2004)

    Google Scholar 

  34. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: NDSS (2005)

    Google Scholar 

  35. Obscou. Building IA32 ’Unicode-Proof’ Shellcodes. Phrack (2003), http://www.phrack.org/

  36. PaX, http://pax.grsecurity.net/docs/aslr.txt

  37. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–Level Polymorphic Shellcode Detection Using Emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)

    Google Scholar 

  38. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-Based Detection of Non-self-contained Polymorphic Shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  39. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: ACSAC (December 2010)

    Google Scholar 

  40. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All Your iFRAMEs Point to Us. USENIX Security (2008)

    Google Scholar 

  41. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost In the Browser: Analysis of Web-based Malware. In: HotBots (2007)

    Google Scholar 

  42. Qin, F., Wang, C., Li, Z., Kim, H.-S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In: MICRO (2006)

    Google Scholar 

  43. Ratanaworabhan, P., Livshits, B., Zorn, B.: NOZZLE: A Defense Against Heap-spraying Code Injection Attacks. USENIX Security (2009)

    Google Scholar 

  44. Rieck, K., Krueger, T., Dewald, A.: Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. In: ACSAC (December 2010)

    Google Scholar 

  45. Secunia. Secunia PSI study: 28% of all detected applications are insecure (2007), http://secunia.com/blog/11

  46. Snow, K.Z., Krishnan, S., Monrose, F.: Shellos: Enabling fast detection and forensic analysis of code injection attacks. USENIX Security (2011)

    Google Scholar 

  47. Sotirov, A.: Heap Feng Shui in JavaScript. In: BlackHat Europe (2007)

    Google Scholar 

  48. Sotirov, A., Dowd, M.: Bypassing Browser Memory Protections. In: BlackHat (2008)

    Google Scholar 

  49. SpiderMonkey JavaScript engine, http://www.mozilla.org/js/spidermonkey/

  50. The Bastard Disassembly Environment, http://bastard.sourceforge.net

  51. The Metasploit Project, http://www.metasploit.com

  52. Tóth, T., Kruegel, C.: Accurate Buffer Overflow Detection via Abstract Payload Execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  53. Vulnerability Note VU#492515: Microsoft Internet Explorer HTML object memory corruption vulnerability, http://www.kb.cert.org/vuls/id/492515

  54. Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: STILL: Exploit Code Detection via Static Taint and Initialization Analyses. In: ACSAC (2008)

    Google Scholar 

  55. Wang, X., Pan, C.-C., Liu, P., Zhu, S.: SigFree: A Signature-Free Buffer Overflow Attack Blocker. USENIX Security (2006)

    Google Scholar 

  56. Fratantonio, Y., Kruegel, C., Vigna, G.: Shellzer: A Tool for the Dynamic Analysis of Malicious Shellcode. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 61–80. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, The Ohio State University, Columbus, OH, 43202, USA

    Boxuan Gu, Wenbin Zhang, Adam C. Champion, Feng Qin & Dong Xuan

  2. Alliance Data System, Columbus, OH, 43202, USA

    Xiaole Bai

Authors
  1. Boxuan Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenbin Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaole Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adam C. Champion
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Feng Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Dong Xuan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Angelos D. Keromytis

  2. Dipartimento di Matematica, UniversitĂ  degli Studi Roma Tre, Largo San Leonardo Murialdo 1, 00146, Rome, Italy

    Roberto Di Pietro

Rights and permissions

Reprints and permissions

Copyright information

© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Gu, B., Zhang, W., Bai, X., Champion, A.C., Qin, F., Xuan, D. (2013). JSGuard: Shellcode Detection in JavaScript. In: Keromytis, A.D., Di Pietro, R. (eds) Security and Privacy in Communication Networks. SecureComm 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 106. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36883-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36883-7_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36882-0

  • Online ISBN: 978-3-642-36883-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation