Abstract:Evasion techniques allow malicious code to never be observed. This impacts significantly the detection capabilities of tools that rely on either dynamic or static analysis, as they never get to process the malicious code. The dynamic nature of JavaScript, where code is often injected dynamically, makes evasions particularly effective. Yet, we lack tools that can detect evasive techniques in a challenging environment such as JavaScript.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: **How to detect and identify evasion techniques in JavaScript code**, which make malicious code difficult to be detected in dynamic or static analysis tools. Specifically, due to the dynamic nature of JavaScript, malicious code can hide itself through dynamic injection and other means, thus evading detection. Existing tools lack effective detection methods in such complex environments.
### Main contributions of the paper
1. **Propose FV8**: A modified engine developed based on Chromium's V8 JavaScript engine, which can detect evasion techniques in JavaScript code by forcibly implementing specific APIs. FV8 can recursively enforce dynamically - loaded code in Node.js and Chromium environments, thereby increasing code coverage and revealing more potential malicious behaviors.
2. **Detect multiple evasion techniques**: FV8 has successfully identified 28 different categories of evasion techniques, including 5 new techniques that have not been reported before. These techniques are widely present in npm packages and browser extensions, further validating the effectiveness of FV8.
3. **Large - scale experimental verification**: By testing 39,592 browser extensions and 9,899 malicious npm packages, FV8 has demonstrated its wide application ability in multiple environments. The experimental results show that FV8 can significantly increase code coverage and detect a large amount of hidden malicious code.
4. **Automatically execute detected evasion behaviors**: FV8 can not only detect evasion techniques but also automatically trigger these behaviors, resulting in the execution of more than 11 million lines of code and 24,140 new dynamically - loaded scripts, which were originally invisible to the detection system.
5. **Detection and reporting of malicious extensions**: Through the combination of FV8 and the DBSCAN algorithm, researchers have detected and manually verified 110 malicious extensions and reported them to Google, of which 62.7% have been successfully removed.
6. **Open - source and maintainability**: As an open - source tool, FV8 provides patch files for the latest 28 versions of V8 and Chromium, ensuring its compatibility and maintainability in different versions, becoming the first open - source and maintainable JavaScript enforcement solution.
### Key technologies of the solution
- **V8 engine modification**: By adding conditional judgment and API detection logic in the V8 engine, FV8 can identify code blocks that may contain evasion techniques when parsing code and enforce these code blocks.
- **Recursive execution system**: In order to handle dynamically - loaded code, FV8 has designed a recursive execution system that can handle the initial code and the third - party code injected dynamically.
- **Visibility enhancement**: Combined with VisibleV8 (VV8), FV8 can generate detailed log files, recording the executed code and the involved APIs, helping researchers better understand code behavior.
- **Dataset construction and experiment**: By collecting and processing datasets from the Chrome Web Store and npm, FV8 has carried out extensive experiments to verify its effectiveness and reliability in practical applications.
In summary, this paper aims to provide an effective solution to detect and deal with evasion techniques in JavaScript code by developing the FV8 tool, thereby enhancing the ability to detect malicious code.