Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques

Nikolaos Pantelaios, Alexandros Kapravelos

TL;DR

FV8 presents an open-source, API-targeted forced-execution system based on the V8 engine to detect JavaScript evasions in both Node.js and Chromium environments. By patching V8 and integrating with VV8, FV8 recursively forces execution of conditionally injected code, significantly increasing code coverage and exposing evasion techniques across npm packages and Chrome extensions. Across three datasets, FV8 identifies 28 evasion categories and 110 malicious extensions, executing millions of lines of code that would remain hidden under conventional analyses, and reports many extensions to Google for remediation. The work demonstrates strong detection performance with low overhead, practical reproducibility via per-version patches and Docker, and broad potential applicability beyond extensions to other JavaScript platforms and domains.

Abstract

Evasion techniques allow malicious code to never be observed. This impacts significantly the detection capabilities of tools that rely on either dynamic or static analysis, as they never get to process the malicious code. The dynamic nature of JavaScript, where code is often injected dynamically, makes evasions particularly effective. Yet, we lack tools that can detect evasive techniques in a challenging environment such as JavaScript. In this paper, we present FV8, a modified V8 JavaScript engine designed to identify evasion techniques in JavaScript code. FV8 selectively enforces code execution on APIs that conditionally inject dynamic code, thus enhancing code coverage and consequently improving visibility into malicious code. We integrate our tool in both the Node.js engine and the Chromium browser, compelling code execution in npm packages and Chrome browser extensions. Our tool increases code coverage by 11% compared to default V8 and detects 28 unique evasion categories, including five previously unreported techniques. In data confirmed as malicious from both ecosystems, our tool identifies 1,443 (14.6%) npm packages and 164 (82%) extensions containing at least one type of evasion. In previously unexamined extensions (39,592), our tool discovered 16,471 injected third-party scripts, and a total of 8,732,120 lines of code executed due to our forced execution instrumentation. Furthermore, it tagged a total of 423 extensions as both evasive and malicious and we manually verify 110 extensions (26%) to actually be malicious, impacting two million users. Our tool is open-source and serves both as an in-browser and standalone dynamic analysis tool, capable of detecting evasive code, bypassing obfuscation in certain cases, offering improved access to malicious code, and supporting recursive analysis of dynamic code injections

FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques

TL;DR

FV8 presents an open-source, API-targeted forced-execution system based on the V8 engine to detect JavaScript evasions in both Node.js and Chromium environments. By patching V8 and integrating with VV8, FV8 recursively forces execution of conditionally injected code, significantly increasing code coverage and exposing evasion techniques across npm packages and Chrome extensions. Across three datasets, FV8 identifies 28 evasion categories and 110 malicious extensions, executing millions of lines of code that would remain hidden under conventional analyses, and reports many extensions to Google for remediation. The work demonstrates strong detection performance with low overhead, practical reproducibility via per-version patches and Docker, and broad potential applicability beyond extensions to other JavaScript platforms and domains.

Abstract

Evasion techniques allow malicious code to never be observed. This impacts significantly the detection capabilities of tools that rely on either dynamic or static analysis, as they never get to process the malicious code. The dynamic nature of JavaScript, where code is often injected dynamically, makes evasions particularly effective. Yet, we lack tools that can detect evasive techniques in a challenging environment such as JavaScript. In this paper, we present FV8, a modified V8 JavaScript engine designed to identify evasion techniques in JavaScript code. FV8 selectively enforces code execution on APIs that conditionally inject dynamic code, thus enhancing code coverage and consequently improving visibility into malicious code. We integrate our tool in both the Node.js engine and the Chromium browser, compelling code execution in npm packages and Chrome browser extensions. Our tool increases code coverage by 11% compared to default V8 and detects 28 unique evasion categories, including five previously unreported techniques. In data confirmed as malicious from both ecosystems, our tool identifies 1,443 (14.6%) npm packages and 164 (82%) extensions containing at least one type of evasion. In previously unexamined extensions (39,592), our tool discovered 16,471 injected third-party scripts, and a total of 8,732,120 lines of code executed due to our forced execution instrumentation. Furthermore, it tagged a total of 423 extensions as both evasive and malicious and we manually verify 110 extensions (26%) to actually be malicious, impacting two million users. Our tool is open-source and serves both as an in-browser and standalone dynamic analysis tool, capable of detecting evasive code, bypassing obfuscation in certain cases, offering improved access to malicious code, and supporting recursive analysis of dynamic code injections
Paper Structure (39 sections, 4 figures, 11 tables)

This paper contains 39 sections, 4 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Background
  3. V8 & Chromium
  4. VisibleV8
  5. WebStore & Extensions
  6. Node.js & npm ecosystem
  7. Relevant Technologies
  8. Data
  9. Methodology
  10. Modifying V8
  11. npm Evasion Detection Module
  12. Extension Detection Module
  13. Post-Processing Module
  14. Results
  15. Malicious npm Packages (D1)
  16. ...and 24 more sections

Figures (4)

  • Figure 1: Full architecture consisting of npm Evasion Detection Module, Extension Detection Module, Post-Processing Module and the DBSCAN Expansion Module. These four components, and the resulting flagging of data, collectively define ATRES as a system.
  • Figure 2: FV8 architecture: Our modified engine detects evasion conditions and targeted APIs and increases code coverage execution.
  • Figure 3: DBSCAN clustering architecture based on evasion APIs.
  • Figure 4: Performance comparison of our tool FV8 against VisibleV8 and Chrome as a baseline.