Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fakeium: A Dynamic Execution Environment for JavaScript Program Analysis

José Miguel Moreno, Narseo Vallina-Rodriguez, Juan Tapiador

TL;DR

Fakeium is presented, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs that complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input.

Abstract

The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official Node.js package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.

Fakeium: A Dynamic Execution Environment for JavaScript Program Analysis

TL;DR

Fakeium is presented, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs that complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input.

Abstract

The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official Node.js package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.

Paper Structure

This paper contains 19 sections, 5 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Language Considerations
  4. Static Analysis
  5. Dynamic Analysis
  6. Related Work
  7. Fakeium
  8. Design Goals
  9. Architecture
  10. Implementation Details
  11. Limitations and Future Work
  12. Evaluation
  13. Datasets
  14. Methodology
  15. Performance
  16. ...and 4 more sections

Figures (5)

  • Figure 1: Overview of Fakeium architecture.
  • Figure 2: Evaluation methodology pipeline.
  • Figure 3: Wall time distributions for static and dynamic analysis pipelines. Solid orange line for static analysis (whole duration), dashed orange line for static analysis (only AST parsing), bold solid blue line for Fakeium.
  • Figure 4: Heap memory size distributions for static and dynamic analysis pipelines. Orange line for static analysis, bold blue line for Fakeium.
  • Figure 5: Ratio of API calls per source, grouped by the analyzer that found them. Orange area for static analysis only, blue for Fakeium only (hidden API calls), purple for found by both. Empty area for sources with no API calls.