Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Static Semantics Reconstruction for Enhancing JavaScript-WebAssembly Multilingual Malware Detection

Yifan Xia, Ping He, Xuhong Zhang, Peiyu Liu, Shouling Ji, Wenhai Wang

TL;DR

The paper tackles the detection gap for JavaScript-WebAssembly multilingual malware (JWMM) by introducing JWBinder, a two-phase static-analysis pipeline that first exposes cross-language interoperations via a language-specific data-flow analysis and then reconstructs a unified static semantic representation, the Inter-language Program Dependency Graph (IPDG). By transforming JWMM into a monolingual JavaScript representation, JWBinder enables monolingual antivirus detectors to identify multilingual threats with higher accuracy. Evaluations on real-world VirusTotal data show substantial improvements in detection rates (SDR) and coverage (ADE) across multiple AV vendors, with modest false positives and reasonable runtimes. The approach demonstrates practical viability for industry deployment and provides a foundation for further cross-language malware analysis research.

Abstract

The emergence of WebAssembly allows attackers to hide the malicious functionalities of JavaScript malware in cross-language interoperations, termed JavaScript-WebAssembly multilingual malware (JWMM). However, existing anti-virus solutions based on static program analysis are still limited to monolingual code. As a result, their detection effectiveness decreases significantly against JWMM. The detection of JWMM is challenging due to the complex interoperations and semantic diversity between JavaScript and WebAssembly. To bridge this gap, we present JWBinder, the first technique aimed at enhancing the static detection of JWMM. JWBinder performs a language-specific data-flow analysis to capture the cross-language interoperations and then characterizes the functionalities of JWMM through a unified high-level structure called Inter-language Program Dependency Graph. The extensive evaluation on one of the most representative real-world anti-virus platforms, VirusTotal, shows that \system effectively enhances anti-virus systems from various vendors and increases the overall successful detection rate against JWMM from 49.1\% to 86.2\%. Additionally, we assess the side effects and runtime overhead of JWBinder, corroborating its practical viability in real-world applications.

Static Semantics Reconstruction for Enhancing JavaScript-WebAssembly Multilingual Malware Detection

TL;DR

The paper tackles the detection gap for JavaScript-WebAssembly multilingual malware (JWMM) by introducing JWBinder, a two-phase static-analysis pipeline that first exposes cross-language interoperations via a language-specific data-flow analysis and then reconstructs a unified static semantic representation, the Inter-language Program Dependency Graph (IPDG). By transforming JWMM into a monolingual JavaScript representation, JWBinder enables monolingual antivirus detectors to identify multilingual threats with higher accuracy. Evaluations on real-world VirusTotal data show substantial improvements in detection rates (SDR) and coverage (ADE) across multiple AV vendors, with modest false positives and reasonable runtimes. The approach demonstrates practical viability for industry deployment and provides a foundation for further cross-language malware analysis research.

Abstract

The emergence of WebAssembly allows attackers to hide the malicious functionalities of JavaScript malware in cross-language interoperations, termed JavaScript-WebAssembly multilingual malware (JWMM). However, existing anti-virus solutions based on static program analysis are still limited to monolingual code. As a result, their detection effectiveness decreases significantly against JWMM. The detection of JWMM is challenging due to the complex interoperations and semantic diversity between JavaScript and WebAssembly. To bridge this gap, we present JWBinder, the first technique aimed at enhancing the static detection of JWMM. JWBinder performs a language-specific data-flow analysis to capture the cross-language interoperations and then characterizes the functionalities of JWMM through a unified high-level structure called Inter-language Program Dependency Graph. The extensive evaluation on one of the most representative real-world anti-virus platforms, VirusTotal, shows that \system effectively enhances anti-virus systems from various vendors and increases the overall successful detection rate against JWMM from 49.1\% to 86.2\%. Additionally, we assess the side effects and runtime overhead of JWBinder, corroborating its practical viability in real-world applications.
Paper Structure (19 sections, 6 figures, 5 tables)

This paper contains 19 sections, 6 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Backgorund and Motivation
  3. WebAssembly
  4. JavaScript-WebAssembly Multilingual Malware
  5. A Motivating Example
  6. JWBinder
  7. Approach Overview
  8. Phase 1: Language-specific Data-flow Analysis
  9. Phase 2: Static Semantic Reconstruction
  10. Evaluation
  11. Experiment Setup and Preliminary Study
  12. Effectiveness of JWBinder (RQ1)
  13. Side Effects (RQ2)
  14. Generalization Ability of JWBinder (RQ3)
  15. Efficiency of JWBinder (RQ4)
  16. ...and 4 more sections

Figures (6)

  • Figure 1: An example of JWMM (b and c) and its equivalent JavaScript malware (a)
  • Figure 2: An overview of JWBinder
  • Figure 3: Example PDG of figure 1.b (some nodes are simplified for clarity)
  • Figure 4: WebAssembly modularization/instantiation functions and properties
  • Figure 5: Run-time performance of JWBinder depending on the JWMM size
  • ...and 1 more figures