Abstract:The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to solve several key problems in JavaScript program analysis: 1. **Malicious behavior detection**: - As a widely - used programming language, JavaScript has become a breeding ground for malicious behavior due to its dynamic characteristics (such as code obfuscation and dynamic execution). Malicious browser extensions and supply - chain attacks (such as attacks against the Node.js package registry) emerge in an endless stream. - Static analysis tools perform poorly when dealing with highly dynamic JavaScript code, especially when facing obfuscated code, and it is difficult to extract runtime information (such as API calls and string literals). 2. **Efficiency and scalability of dynamic analysis**: - Although traditional dynamic analysis methods can overcome the limitations of static analysis, they usually require a large amount of computing resources and time, especially in large - scale analysis (such as analyzing millions of source files). - Dynamic analysis also depends on user input or synthetic user interaction, which makes automated analysis complex and difficult to scale. 3. **Limitations of existing tools**: - Most of the existing JavaScript dynamic analysis tools are based on a complete browser environment (such as Chromium). These tools are not only resource - intensive but also complex to configure, and are not suitable for efficient large - scale analysis tasks. To solve these problems, the author proposes **Fakeium**, which is a lightweight and efficient dynamic execution environment specifically for behavior analysis of large - scale JavaScript programs. The main features of Fakeium include: - **Lightweight and efficient**: By minimizing the execution overhead (an average of 70 milliseconds and 1.5 MiB of heap memory), it can be used in combination with static analysis tools without adding significant additional burden. - **No need for user input**: It does not require human intervention or synthetic user input, thus achieving a fully automated analysis process. - **Supports high customization**: It provides a hooks mechanism, allowing researchers to customize the analysis scenario as needed, such as simulating network traffic. - **Compatible with obfuscated code**: It is especially suitable for analyzing obfuscated JavaScript code and can detect hidden API calls. In short, Fakeium aims to fill the gap between traditional static and dynamic analysis tools and provide an efficient, scalable and easy - to - use solution to meet the security analysis challenges of JavaScript programs.

Fakeium: A Dynamic Execution Environment for JavaScript Program Analysis

FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques

JStill: mostly static detection of obfuscated malicious JavaScript code

Looking for Criminal Intents in JavaScript Obfuscated Code

Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis

Microwalk-CI: Practical Side-Channel Analysis for JavaScript Applications

Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis

Malicious JavaScript Code Detection Based on Hybrid Analysis

Flexible Non-intrusive Dynamic Instrumentation for WebAssembly

Jalangi: a selective record-replay and dynamic analysis framework for JavaScript

Accelerating JavaScript Static Analysis via Dynamic Shortcuts (Extended Version)

JITScanner: Just-in-Time Executable Page Check in the Linux Operating System

Detection and analysis of malicious JavaScript code based on pre-filter

Optimizing Away JavaScript Obfuscation

FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities

An analysis of the dynamic behavior of JavaScript programs

Detile: Fine-Grained Information Leak Detection in Script Engines

JIT-Picking: Differential Fuzzing of JavaScript Engines

Dynamical System Theory for the Detection of Anomalous Behavior in Computer Programs

Virtual Browser: A Web-Level Sandbox To Secure Third-Party Javascript Without Sacrificing Functionality