Cryptic Bytes: WebAssembly Obfuscation for Evading Cryptojacking Detection
Håkon Harnes, Donn Morrison
TL;DR
This work provides the most extensive evaluation to date of code obfuscation techniques for WebAssembly, examining their effectiveness, detectability, and overhead across multiple abstraction levels. By introducing emcc-obf and benchmarking Tigress and wasm-mutate on a dataset of over $2.0\times10^4$ obfuscated binaries, the study demonstrates that obfuscation can significantly distort WebAssembly binaries and, in many cases, evade state-of-the-art cryptojacking detectors. Key findings show Tigress as the most effective obfuscator in terms of producing dissimilar binaries and increasing native-code size, though detectors can still be thwarted with carefully chosen transformations and stacking, at the cost of notable overheads. The work provides a valuable resource, including a large obfuscated-wasm dataset and the emcc-obf tool, to spur further research into robust detection methods and more resilient defense strategies against WebAssembly-based cryptojacking. The results underscore a practical trade-off between evasion capability and performance/size penalties, informing both defenders and researchers about realistic threat models and detection gaps.
Abstract
WebAssembly has gained significant traction as a high-performance, secure, and portable compilation target for the Web and beyond. However, its growing adoption has also introduced new security challenges. One such threat is cryptojacking, where websites mine cryptocurrencies on visitors' devices without their knowledge or consent, often through the use of WebAssembly. While detection methods have been proposed, research on circumventing them remains limited. In this paper, we present the most comprehensive evaluation of code obfuscation techniques for WebAssembly to date, assessing their effectiveness, detectability, and overhead across multiple abstraction levels. We obfuscate a diverse set of applications, including utilities, games, and crypto miners, using state-of-the-art obfuscation tools like Tigress and wasm-mutate, as well as our novel tool, emcc-obf. Our findings suggest that obfuscation can effectively produce dissimilar WebAssembly binaries, with Tigress proving most effective, followed by emcc-obf and wasm-mutate. The impact on the resulting native code is also significant, although the V8 engine's TurboFan optimizer can reduce native code size by 30\% on average. Notably, we find that obfuscation can successfully evade state-of-the-art cryptojacking detectors. Although obfuscation can introduce substantial performance overheads, we demonstrate how obfuscation can be used for evading detection with minimal overhead in real-world scenarios by strategically applying transformations. These insights are valuable for researchers, providing a foundation for developing more robust detection methods. Additionally, we make our dataset of over 20,000 obfuscated WebAssembly binaries and the emcc-obf tool publicly available to stimulate further research.