JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques.
Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.
History
Preferred Citation
Marvin Moog, Markus Demmel, Michael Backes and Aurore Fass. Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2021.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Legacy Posted Date
2021-03-23
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3385,
title = "Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild",
author = "Moog, Marvin and Demmel, Markus and Backes, Michael and Fass, Aurore",
booktitle="{IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)}",
year="2021",
}