Browser Tool Aims To Help Researchers ID Malicious Websites, Code
For Immediate Release
Researchers from North Carolina State University have developed an open-source tool that allows users to track and record the behavior of JavaScript programs without alerting the websites that run those programs. The tool, called VisibleV8, runs in the Chrome browser and is designed to detect malicious programs that are capable of evading existing malware detection systems.
“When you go to most websites, your browser starts running the site’s JavaScript programs pretty much immediately – and you have little or no idea of what that JavaScript is doing,” says Alexandros Kapravelos, co-author of a paper on VisibleV8 and an assistant professor of computer science at NC State. “Previous state-of-the-art malware detection systems rely on making changes to JavaScript code in order to see how the code is being executed. But this approach is easily detected, allowing malware programs to alter their behavior in order to avoid being identified as malicious.
“VisibleV8 runs in the browser itself, recording how JavaScript is executed; it doesn’t interact with the code and, as a result, is far more difficult to detect.”
VisibleV8 saves all of the data on how a site is using JavaScript, creating a “behavior profile” for the site. That profile, and all of the supporting data, can then be used by researchers to identify both malicious websites and the various ways that JavaScript is used to compromise web browsers and user information.
Because VisibleV8 consists of only 600 lines of code, out of the millions of lines of code in Chrome, the software tool is relatively easy to keep up-to-date. This is an important consideration given that Chrome’s code is updated approximately every six weeks. VisibleV8 can also be used to target the most likely malicious behaviors without hurting browser performance.
“We’ve created a stealthy tool for monitoring JavaScript in the wild,” Kapravelos says. “We’re now making it open source, in hopes that it will be useful to anyone doing research on web privacy and security.”
VisibleV8 can be downloaded from Kapravelos’ site at http://kapravelos.com/projects/vv8.
The paper, “VisibleV8: In-browser Monitoring of JavaScript in the Wild,” is being presented at the ACM Internet Measurement Conference 2019, being held Oct. 21-23 in Amsterdam, Netherlands. First author of the paper is Jordan Jueckstock, a Ph.D. student at NC State.
The work was done with support from the Office of Naval Research, under grant N00014-17-1-2541; by DARPA, under agreement number FA8750-19-C-0003; and by the National Science Foundation, under grant CNS-1703375.
-shipman-
Note to Editors: The study abstract follows.
“VisibleV8: In-browser Monitoring of JavaScript in the Wild”
Authors: Jordan Jueckstock and Alexandros Kapravelos, North Carolina State University
Presented: ACM Internet Measurement Conference 2019, Oct. 21-23, Amsterdam, Netherlands
Abstract: Modern web security and privacy research depends on accurate measurement of an often evasive and hostile web. No longer just a network of static, hyperlinked documents, the modern web is alive with JavaScript (JS) loaded from third parties of unknown trustworthiness. Dynamic analysis of potentially hostile JS currently presents a cruel dilemma: use heavyweight in-browser solutions that prove impossible to maintain, or use lightweight inline JS solutions that are detectable by evasive JS and which cannot match the scope of coverage provided by in-browser systems. We present VisibleV8, a dynamic analysis framework hosted inside V8, the JS engine of the Chrome browser that logs native function or property accesses during any JS execution. At less than 600 lines (only 67 of which modify V8’s existing behavior), our patches are lightweight and have been maintained from Chrome versions 63 through 72 without difficulty. VV8 consistently outperforms equivalent inline instrumentation, and it intercepts accesses impossible to instrument inline. This comprehensive coverage allows us to isolate and identify 46 JavaScript namespace artifacts used by JS code in the wild to detect automated browsing platforms and to discover that 29% of the Alexa top 50k sites load content which actively probes these artifacts.
