JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 1 Detecting Malicious Behaviors in JavaScript Applications Jian Mao, Member, IEEE, Jingdong Bian, Guangdong Bai, Ruilong Wang, Yue Chen, Yinhao Xiao, and Zhenkai Liang, Member, IEEE Abstract—JavaScript applications are widely used in a range of scenarios, including web applications, hybrid-mobile applications and NodeJS applications. Due to its excellent cross-platform support, Javascript has become the core technology of social network platforms. On the other hand, the flexibility of the JavaScript language makes such applications prone to attacks that inject malicious behaviors. In this paper, we propose a detection technique to identify malicious behaviors in JavaScript applications. Our method models an application’s normal be- havior on function activation, which is used as a basis to detect attacks. We prototyped our solution on the popular JavaScript engine V8, and used it to detect attacks on the Android system. Our evaluation shows the effectiveness of our approach in detecting injection attacks to JavaScript applications. Index Terms—JavaScript application; hybrid mobile app; be- havior anomaly detection. I. I NTRODUCTION For the excellent cross-platform support, JavaScript ap- plications are widely used to power a wide range of so- lutions, including web applications, mobile applications and desktop/server applications. As a result, JavaScript is a core technology that supports popular social networking application architectures [1], covering both the cloud (servers) and the ends (browser and mobile apps). For the conveniences of users, such social network applications often require users to provide their geolocation, personal addresses, contacts, etc. On one hand, these applications often offer user-friendly and customized features for users. On the other side, users’ privacy is exposed to these applications, and is even potentially revealed to adversaries. In fact, the flexibility of the JavaScript language makes such applications prone to attacks that inject malicious behaviors. The existing web vulnerabilities in these application, such as cross-site scripting (XSS) [2], are also introduced into JavaScript applications on other platforms, which can lead to security breaches and reveal users’ privacy. In this paper, we focus on JavaScript-based mobile appli- cations, which is also called hybrid mobile apps. Compared to traditional web applications, such JavaScript applications have access to more sensitive channels on mobile devices, Jian Mao, Jingdong Bian, Ruilong Wang and Yue Chen are with School of Electronic and Information Engineering, Beihang University, China 100191 e-mail: ([email protected]). Guangdong Bai is with Singapore Institute of Technology, Singapore 138683. Yinhao Xiao is with The George Washington University, USA, DC 20052. Zhenkai Liang is with School of Computing, National University of Singapore, Singapore 117417 Manuscript received April 19, 2005; revised August 26, 2015. such as contacts and messages, allowing malicious code to be hidden in such channels to be injected into hybrid mobile apps [3], [4], [5]. Moreover, the injected code has much more power in accessing system resources, such as camera and GPS information, than its counterparts in the web. Researchers have extensively studied code injection on the web platform [6], [7], [8], [9], [10], [11], [12], [13], [14], [15], the solutions are mainly for the architecture of web applications. Researchers have proposed solutions to prevent code injection attacks in hybrid mobile apps [3], [16], which is done mainly by filtering code out of the data input from potential code injection channels of the devices. However, these solutions need the knowledge of potential injection channels, such that they may become ineffective when new injection techniques are developed by attackers. In JavaScript applications, the anomalous, or foreign behav- iors by injected code break the execution integrity of the victim app, resulting in different behaviors from benign ones in the way they are activated. Based on this observation, the research community has developed solutions to detect anomalous be- haviors based on behavior models in several platforms, such as x86 programs [17], [18] and web applications [19], [20]. The key of such solutions is to identify the program states under which foreign behaviors can be distinguished from benign behaviors. In hybrid mobile apps, dangerous behaviors are carried out as call to APIs provided by the hybrid framework such as PhoneGap [21]. These APIs are comparable to system calls to an operating system. Therefore, in our approach, our goal is to distinguish malicious call to these APIs from benign ones. Our approach. For hybrid Android apps, we observed that the caller-callee relationship of JavaScript functions can provide information to distinguish benign and injected behavior. Our approach is based on function activation information of the apps and system events. In this paper, we propose a new approach to detect anomalous behaviors in hybrid Android apps as anomaly in function call behaviors. To intercept function calls of JavaScript in hybrid apps, we dynamically instrument JavaScript code in the JavaScript engine. The instrumented JavaScript reports function-level activity when a hybrid app is executed. In addition, we also extract events from the WebView component to enhance the behavior model. Based on these events, we detect attacks as the deviation between a hybrid app’s behavior and its expected behaviors. We prototyped our solution in the Android system, and eval- uated it using real-world hybrid Android apps. Our evaluation
Transcript
JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 1
Detecting Malicious Behaviors in JavaScriptApplications
Abstract—JavaScript applications are widely used in a range ofscenarios, including web applications, hybrid-mobile applicationsand NodeJS applications. Due to its excellent cross-platformsupport, Javascript has become the core technology of socialnetwork platforms. On the other hand, the flexibility of theJavaScript language makes such applications prone to attacksthat inject malicious behaviors. In this paper, we propose adetection technique to identify malicious behaviors in JavaScriptapplications. Our method models an application’s normal be-havior on function activation, which is used as a basis to detectattacks. We prototyped our solution on the popular JavaScriptengine V8, and used it to detect attacks on the Android system.Our evaluation shows the effectiveness of our approach indetecting injection attacks to JavaScript applications.
Index Terms—JavaScript application; hybrid mobile app; be-havior anomaly detection.
I. INTRODUCTION
For the excellent cross-platform support, JavaScript ap-plications are widely used to power a wide range of so-lutions, including web applications, mobile applications anddesktop/server applications. As a result, JavaScript is a coretechnology that supports popular social networking applicationarchitectures [1], covering both the cloud (servers) and theends (browser and mobile apps). For the conveniences ofusers, such social network applications often require usersto provide their geolocation, personal addresses, contacts,etc. On one hand, these applications often offer user-friendlyand customized features for users. On the other side, users’privacy is exposed to these applications, and is even potentiallyrevealed to adversaries.
In fact, the flexibility of the JavaScript language makes suchapplications prone to attacks that inject malicious behaviors.The existing web vulnerabilities in these application, suchas cross-site scripting (XSS) [2], are also introduced intoJavaScript applications on other platforms, which can lead tosecurity breaches and reveal users’ privacy.
In this paper, we focus on JavaScript-based mobile appli-cations, which is also called hybrid mobile apps. Comparedto traditional web applications, such JavaScript applicationshave access to more sensitive channels on mobile devices,
Jian Mao, Jingdong Bian, Ruilong Wang and Yue Chen are with School ofElectronic and Information Engineering, Beihang University, China 100191e-mail: ([email protected]).
Guangdong Bai is with Singapore Institute of Technology, Singapore138683.
Yinhao Xiao is with The George Washington University, USA, DC 20052.Zhenkai Liang is with School of Computing, National University of
Singapore, Singapore 117417Manuscript received April 19, 2005; revised August 26, 2015.
such as contacts and messages, allowing malicious code tobe hidden in such channels to be injected into hybrid mobileapps [3], [4], [5]. Moreover, the injected code has much morepower in accessing system resources, such as camera and GPSinformation, than its counterparts in the web.
Researchers have extensively studied code injection on theweb platform [6], [7], [8], [9], [10], [11], [12], [13], [14],[15], the solutions are mainly for the architecture of webapplications. Researchers have proposed solutions to preventcode injection attacks in hybrid mobile apps [3], [16], whichis done mainly by filtering code out of the data input frompotential code injection channels of the devices. However,these solutions need the knowledge of potential injectionchannels, such that they may become ineffective when newinjection techniques are developed by attackers.
In JavaScript applications, the anomalous, or foreign behav-iors by injected code break the execution integrity of the victimapp, resulting in different behaviors from benign ones in theway they are activated. Based on this observation, the researchcommunity has developed solutions to detect anomalous be-haviors based on behavior models in several platforms, such asx86 programs [17], [18] and web applications [19], [20]. Thekey of such solutions is to identify the program states underwhich foreign behaviors can be distinguished from benignbehaviors. In hybrid mobile apps, dangerous behaviors arecarried out as call to APIs provided by the hybrid frameworksuch as PhoneGap [21]. These APIs are comparable to systemcalls to an operating system. Therefore, in our approach, ourgoal is to distinguish malicious call to these APIs from benignones.Our approach. For hybrid Android apps, we observed that thecaller-callee relationship of JavaScript functions can provideinformation to distinguish benign and injected behavior. Ourapproach is based on function activation information of theapps and system events. In this paper, we propose a newapproach to detect anomalous behaviors in hybrid Androidapps as anomaly in function call behaviors.
To intercept function calls of JavaScript in hybrid apps,we dynamically instrument JavaScript code in the JavaScriptengine. The instrumented JavaScript reports function-levelactivity when a hybrid app is executed. In addition, we alsoextract events from the WebView component to enhance thebehavior model. Based on these events, we detect attacks asthe deviation between a hybrid app’s behavior and its expectedbehaviors.
We prototyped our solution in the Android system, and eval-uated it using real-world hybrid Android apps. Our evaluation
result illustrates the effectiveness of our approach. Moreover,with the wide deployment of JavaScript-based applications,our solutions can be adopted by JavaScript applications inother domains, such as server-side applications and IoT so-lutions.Contributions. In summary, we make the following contribu-tions:• We propose a new approach for detecting unexpected
foreign behaviors in hybrid Android apps. The key ofour technique is to identify function-level execution in-formation as the basis to distinguish benign and foreignbehaviors.
• We develop a dynamic instrumentation techniques to ex-tract the function-level run-time information from hybridapplication.
• We prototype our approach, and apply it to successfullydetect foreign-behaviors in hybrid apps under code injec-tion attacks.
Organization. The rest of this paper is organized as follows.Section II discusses related work. Section III discusses thebackground knowledge of hybrid applications and gives anoverview of our solution. In Section IV, we illustrate theoverall architecture of our approach and present essential algo-rithms. We describe the implementation details and evaluationresults in Section V and Section VI, respectively. Section VIIconcludes the paper.
II. RELATED WORK
a) Hybrid Android App Security: Georgiev et al. [22]discussed the seucurity flaws of the hybrid applciation frame-work and analyzed the vulnerabilities (e.g., fracking), poten-tial attacks introduced by the gap between web applicationsecurity mechanisms (e.g., SOP) and Android system accesscontrol policies. They presented a capability-based solution toprevent malicious code in Android hybrid apps from accessinghigh privilege, which is platform-independent and compatiblewith the exisitng framewoks and embeded browsers withoutchanging the code of hybride apps and their business modeeither.
Jin et al. [23] studied the code injection attacks introduced inHTML5-based (Hybrid) apps. They discovered a lot of chan-nels (e.g., 2D barcode reading, WiFi access point scanning,Bluetooth device pairing, etc.) that can be used to conductcode injection attackes through hybird apps. In their followup work [16], they identified most potential ways/“bridges”exposing the system resources to JavaScript without appropri-ate access control mechanisms, which are dangerous to theemerging threats. They developed tools to detect hybrid appspotentially vulnerable for code injection attacks and proposeda fine-grained access control model to filter out malicious codethat can be injected to the vulnerable apps.
b) Malicious Behavior Detection using Behavior Models:Several solutions pioneered using behavior models to detectmalcious system-call behaviors in applications. Forrest etal. [24] first proposed the anomly system call sequence basedintrusion detecion approach. Sekar et al. [17] propose to modelprogram behavior using a compact finite state automaton
(FSA), which models system call sites as states. Feng etal. [18] adopt call stack information to the FSA model forbetter accuracy. In web applications, Guha et al. [19] extractsthe non-deterministic request graph by statically analyzingclient-side web applications, which is used to detect anomalousbehaviors in Ajax applications. Dong et al. [20] use client-side state transactions and communications to servers to builda state machine model for detecting malicous behaviors inweb applications. Mao et al. [25] extends the solution todetect malicious behaviors in hybrid mobile apps. Such modelsmay not be effective in detecting behaviors injected into thesame web interfaces. In our early work [26], we showed thatutilize function-call relationships can be used for to detectattacks after it happens. In contrast, we extend the scope ofthe solution to general JavaScript applications in this paper,and use it to perform online detection of malicious behaviors.
c) Code Injection Defense in Web Applications: Codeinjection attacks on web applications, especially cross-sitescripting attacks (XSS) [2], that circumvent the same-originpolicy [27] can obtain arbitrary access to contents of thevulnerable website. Content Security Policy (CSP) [28] isdesigned to prevent unauthorized scripts from executing withinthe applied website. Researchers have employed static programanalysis to detect XSS vulnerabilities [6], [7], [8]. Numerousapproaches also prevent XSS attacks by using dynamic track-ing techniques to control the use of unsafe data in web appli-cations [9], [10], [11]. Wassermann [29] and Balzarotti [30]propose solutions to verify the correctness of sanitizationfunctions. Noxes [31] and NoMoXSS [32] develope client-side XSS defenses to ensure confidentiality of sensitive databy analyzing data flow in the browser instead of preventingexecuting illegitimate scripts. Based on the unique features ofreflected XSS attacks by comparing HTTP request parametersand responses, researchers deploy client-side and server-sidemechanisms to detect and mitigate these attacks [12], [13],[14]. DSI [33], Noncespaces [15] and Blueprint [34] preservethe integrity of document structure in the browser to preventXSS attacks. Meanwhile, a number of researchers focus onconfining the behaviors of untrusted scripts by transformingJavaScript code [35], [36], [37], [38]. Recently, DOM-basedXSS attacks are emerging, and various techniques are pro-posed to detect these attacks by taint analysis and mitigatethem by auto-patching the vulnerabilities [39], [40], [41],[42]. Apart from the above defenses, a line of approaches arefocusing on utilizing privilege separation on web applicationsto protect sensitive data from untrusted scripts [43], [44], [45],[46], [47], [48].
d) Privacy Leakage in Online Social Networks (OSNs):Prior research on privacy in online social networks mainlyfocuses on inferring users’ identities and personal informationfrom public information shared in various OSNs [49], [50],[51], [52]. Zheleva et al. [50] devised a classification-basedapproach to obtain users’ sensitive information from theirpublic social relationships and group information. Balduzziet al. [51] leverage email addresses to determine and linkusers across different OSNs. Chaabane et al. [52] proposedto infer users’ undisclosed (private) attributes using the publicattributes of other users sharing similar interests. Leveraging
2
HostOperatingSystem
JavaScriptBridges
UI
JavaScriptEngine
JavaScriptApplications
Fig. 1: The architecture of JavaScript applications.
the Latent Dirichlet Allocation generative model, they canextract semantic links between users’ unrelated interest names,further postulate and verify the interest-based similaritiesbetween users. In particular, they showed that as long as usersrevealed their music interests, their sensitive attributes, such asgender, age and country-level locations can be revealed withhigh accuracy.
III. APPROACH OVERVIEW
In this section, we introduce the runtime environment ofJavaScript Apps. Based on that, we use a motivating exam-ple to demonstrate how the function-activation relations areeffective in differentiating anomalous behaviors.
A. Runtime Environment of JavaScript Apps
Illustrated in Figure 1, JavaScript applications rely on aJavaScript engine to run its core logic, and on user inter-face (UI) modules to render its interface. The JavaScriptengine interacts with the host operating system through abridge module. The bridge module provides JavaScript APIswith system resources. It also offers a way to deal with therequirement of particular systems that contain the JavaScriptengine in a sandbox. For example, in Android browser, toprevent web pages from accessing system resources, a We-bView component is executed within a sandbox. When theWebView is used to execute hybrid mobile apps, it uses aplugin-based middleware framework as the bridge. With thisbridge, JavaScript code can invoke native Java code to accesssystem resources.
There are several middleware frameworks that can providesuch a bridge, e.g., PhoneGap [21], RhoMobile [53] andAppcelerator [54]. Apps developed based on these cross-platform frameworks are called hybrid apps. The static layoutsand dynamic behaviors of these hybrid apps are implementedin Web languages, e.g., HTML, CSS and JavaScript.
B. Motivating Example
We use a simplified hybrid app to illustrate how a JavaScriptcode injection attack occurs, and to understand the intuitionthat the function-level information is critical for anomalous
behavior detection. In this paper, without loss of general-ity, we base our design on PhoneGap, which is the mostpopular framework nowadays, and can be used on variousmobile platforms such as Android, iOS and Windows Phone.PhoneGap provides 16 plugins as the bridges to enable hy-brid mobile apps to access system resources, including file,camera, accelerometer, etc. If new access to local resources isneeded, developers can also write their own plugins to extendthe functionalities of these frameworks. JavaScript code canaccess new Android native resources by calling these newplugins. These plugins will directly invoke Java code andserve as bridges between JavaScript code and Android systemresources.
The app, called GroupMessageSender, contains four mainoperations, i.e., Search the contact list, Remove the userselected contact items, Add a contact item, and Send SMSmessage. It reads the whole contact list and displays contactitems with check boxes. Users can either select contact items tosend SMS messages to them or delete them from the list. Thesource code of reading, displaying and removing the contactlist is shown in Figure 2.
The functions shown in Figure 2 are invoked as fol-lows in the original app. On user click of buttons tosearch contacts, the browser invokes contactSearch(),which calls browser APIs and the PhoneGap APIs, includingnavigator.contacts.find(). On user click of buttons ofremoving contacts, the browser invokes contactRemove(),which calls browser APIs and PhoneGap APIs, includingnavigator.contacts.find() and contact[i].remove.These call relationships define the normal behavior of the app.
An attacker can inject malicious code into the namefield of a contact item, for example, <img src="x"
onerror="contactRemove()"/>. When the app reads themal-formatted contact item, the malicious code will beexecuted and directly calls the app’s JavaScript functioncontactRemove() to delete specific items.
In this attack, the malicious behavior (removing contacts) iscaused by the injected code, which is invoked while the useris viewing the contact list. In contrast, the normal behavior toremove contacts should be activated by user clicking on thebutton, which is designed to remove contacts. Furthermore,the function call stack of this contact remove behavior shouldonly contain the function contactRemove() in the normalcircumstance. However, in a code injection attack, the samebehavior is triggered with a function call contactSearch()→ contactRemove(), which is not available in the originalprogram behavior. These two different behaviors are shown inFigure 3.
The above example demonstrates that function-activationinformation (e.g., call graph and triggering event) helps dis-tinguishing anomalous behaviors from benign ones in hybridapps.
IV. DESIGN
In this section, we describe the design of our approach.We first introduce the overall architecture of our solution, andthe technique to extract function-activation information andsystem events. Finally, we present our key algorithms.
3
function contactSearch() { //Read contact listvar options = new ContactFindOptions();options.filter = "";options.multiple = true;var fields = ["*"];navigator.contacts.find(fields,
function (contacts) { //Display contact itemswith check boxes
var ul = document.getElementById("ul");for (var i = 0; i < contacts.length; i ++) {
var contactinfo = document.createElement("p");
var checkboxInput = document.createElement("input");
checkboxInput.type = "checkbox";contactinfo.appendChild(checkboxInput);var li = document.createElement("li");contactinfo.innerHTML += contacts[i].
function contactRemove() {var options = new ContactFindOptions();options.filter = ’’;options.multiple = true;var fields = [’*’];navigator.contacts.find(fields,
function remove(contacts) {var ul = document.getElementById("ul");for (var i = 0; i < ul.getElementsByTagName("
li").length; i ++) {var li = ul.getElementsByTagName("li")[i];
//Remove the selected itemsif(li.getElementsByTagName("input")[0].
checked) {contacts[i].remove(function () {},
function () {});}
}}, function () {}, options
);}
Fig. 2: The source code of GroupMessageSender
A. Architecture
The architecture of our system is illustrated in Figure 4.It consists of the following modules: Dynamic Rewriter,Event Extractor, Behavior Model Generator, Behavior ModelDatabase, and Anomalous Behavior Detector.
The dynamic rewriter is a run-time module inside theJavaScript engine. To get the function-activation information,such as function name, file path and function’s line number,it intercepts the JavaScript code before the code is receivedby the JS engine, instruments the code, and passes the instru-mented code to the JS engine. During the execution of the app,the instrumented code intercepts important function-activationinformation, which will then be used to build behavior modelfor the app. This is achieved through interaction with theevent extractor, which is a run-time module of the JS engine.It extracts system interactions made by a Hybrid app. Forexample, when the app makes a PhoneGap API call or its
Button click event
contactRemove()
navigator.
contacts.find()
callevent return
event
Contacts[i]
.remove()
calleventreturn
event
Button click event
contactSearch()
callevent
contactRemove()
navigator.
contacts.find()
callevent return
event
Contacts[i]
.remove()
returnevent
callevent
a) Normal behavior of GroupMessageSender
b) Behavior of GroupMessageSender with code injected
Fig. 3: Comparison of normal behaviors and malicious behav-iors
HostOperatingSystem
JavaScriptBridges
UI
JavaScriptApplications
JavaScriptEngine
DynamicRewriter
EventExtractor
BehaviorModelGenerator
AnomalousBehaviorDetector
BehaviorModel
Database
Fig. 4: Architecture of our approach.
button is clicked, these events will be intercepted and reportedfor building the behavior model.
Using events and function-level information extracted bythe previous two components, the behavior model generatorbuilds the behavior model of the app. Security analysts canrun the app in a normal environment to obtain its originalbehavior model. After traversing the app and triggering asmany behaviors as possible using a test suite, the output fromthe behavior model generator will be treated as the app’soriginal behavior model and stored in the behavior modeldatabase.
The anomalous behavior detector module matches the appbehaviors against its original behavior model stored in thedatabase. If the app’s behaviors do not fit into the originalmodel, it will be treated as anomalous.
B. Function Behavior Model
We define a function behavior model for hybrid mobileapps.
Definition (Function behavior model). The model proposedfor hybrid apps is based on a state machine (S, Σ, s0, δ, F),where:
– S is a finite, non-empty set of states. For any state s =(s.id, s.attr) ∈ S, s.id represents the state identifier;s.attr represents the state attribute.
– Σ is a set of inputs. An input σ ∈ Σ describes an eventthat triggers a state transition, where φ ∈ Σ means anempty input.
– s0 ∈ S is the initial state.
4
– δ : S × Σ → S is the state transition function. For twostates sa, sb∈ S and σ ∈ Σ, sb = δ(sa, σ) represents thestate transition from sa to sb triggered by the input σ.
– F is the set of final states, and F ⊂ S.
Fig. 5: The function behavior model for GroupMessageSender.Figure 5 is an example model of the motivating
example. The state set of the app is represented as S ={initial state, searchContact, removeContact,addContact, sendSMS, exec@Contacts@search,exec@Contacts@remove, exec@Contacts@save,exec@MessagePlugin@send} (For brevity, only s.idsare listed, and s.attrs are elaborated soon.).
There are two kinds of states in S: searchContact,removeContact, addContact and sendSMS arecorresponding to internal JavaScript functions andexec@Contact@search, exec@Contact@remove,exec@Contact@add and exec@MessagePlugin@send
are corresponding to calls to APIs, which are the system-levelbehaviors. As shown in Figure 5, s.id of the functionstate addContact is the function name “addContact”,s.attr of addContact is (func.html, 34), which means“addContact” is defined in the file “func.html” at the linenumber 34.
The set of trigger events is represented as Σ = {“click onbutton at func.html lineno:116”, “click on button at func.htmllineno:117”, “click on button at func.html lineno:118”, “clickon button at func.html lineno:121”, “func return”, φ}.
“s0” is “initial state” that we set for every app as the startpoint in state transition.
The arrowed line between two states represents a statetransition. The trigger event of this transition is marked besidethe arrowed line. As shown in Figure 5, for example, thetransition from initial state to state searchContact
is triggered by the event of “click on button at func.htmllineno:116”. According to the above definition, this transitioncan be recorded as: searchContact = δ(initial state,“click on button at func.html lineno:116”). As another exam-ple, to achieve the normal behavior “remove contact” (labeledas exec@Contacts@remove), this app has one state transitionfrom initial state to removeContact, which is triggeredby an event “click on button at func.html lineno:117”.
In contrast, the injected malicious scripts directly callthe function to trigger the “remove contact” behavior. Thisbehavior can be detected by the behavior model. In themodel, behavior “remove contact”(exec@Contacts@remove)is achieved by the state transition initial state →searchContact→ removeContact with two trigger events“click on button at func.html lineno:116” and “HTMLIm-ageElement.onerror at func.html lineno:2”. The state transition
in this attack is invalid. This is how we can use functionactivation information to effectively detect the code injectionattacks in JavaScript applications.
C. Extraction of Function-activation Information and SystemEvents
To completely model hybrid apps’ behaviors, we need tointercept both function activation within the JavaScript engine,and the interaction between the JavaScript engine and itsexternal environment.
To extract function-activation information, we instrumentthe JavaScript code before it is processed by the JavaScriptengine. The instrumented JavaScript code needs to maintaina virtual stack and reports the caller-callee relationship forbuilding behavior models. Specifically, at the beginning ofeach function, the instrumented code will report the event ofentering a function; at the end of each function, the instru-mented code will report the event of exiting of the function.We will elaborate the implementation choice in Section V.
To extract system events, we monitor the activation ofinterface APIs in the bridge component. For example, callsto PhoneGap APIs, network requests, or UI events, will bereported by the event extractor. The reported function activa-tion events and system information will be used in buildingbehavior models and detecting malicious behaviors.
D. Behavior Model Generation
The Behavior Model Generation algorithm creates thebehavior model from events extracted from the JavaScriptenvironment. It takes as input a list of events (Event-list).It first creates an initial state s0, where the identifierof s0, s0.id = InitialState, and the attribute of s0,s0.attr = (null, null). Then the algorithm traverses theEvent-list. If it finds a newly invoking event e ∈Event-list (in our implementation described in V, suchevents are marked as “func into”), it creates a new statesi, where si.id = 〈functionname〉, and si.attr =(〈hostfile〉, 〈linenumber〉). It also creates a state transitionfunction si = δ(si−1, σi), where σi = 〈trigger event〉. If thealgorithm gets a return event e ∈ Event-list (marked as“func out” in our implementation), then it creates a state transi-tion function si = δ(si−1, σi), where σi = function return.If the algorithm finds a behavior event e ∈ Event-list(marked as “behavior”), it creates a new state si, where si.id =〈behavior information〉, and si.attr = (null, null). Italso creates a state transition function si = δ(si, σi), whereσi = null. If the event belongs to none of above categories, thealgorithm ignores this event and moves the next event in theEvent-list. After the algorithm is done with the traverse ofEven-list, a complete state-machine based behavior modelof the hybrid application will be generated.
The behavior-model-creation algorithm we use in our ap-proach is summarized in Algorithm 1.
E. Anomalous Behavior Detection.
After generating the behavior model of an app, we use anAnomalous Behavior Detection algorithm to detect whether
5
Algorithm 1: Behavior Model GenerationData: A list of events: Event-listResult: Behavior model
1 create initial state s0, where s0.id = InitialState, ands0.attr = (null, null).
2 while not at end of Event-list do3 get new event e ∈Event-list;4 if event is marked as “func into” then5 create state si, where si.id = 〈functionname〉, and
si.attr = (〈hostfile〉, 〈linenumber〉);6 create state transition function si = δ(si−1, σi), where
σi = 〈trigger event〉;7 else8 if event is marked as “func out” then9 create state transition function si = δ(si−1, σi), where
σi = function return;10 else11 if event is marked as “behavior” then12 create new state si, where
13 create state transition function si = δ(si, σi),where σi = null;
14 else15 ignore event;
its run-time behavior complies with the behavior model. Ouralgorithm takes as inputs the behavior model of an app and thesequence of events to be checked. Given the original behaviormodel M = (S,Σ, δ, s0, F ) and the behavior sequence to bechecked Σ′, the algorithm traverses the state of M , driven byevents in Σ′. If an event σ′i in Σ′ does not lead M to a correctstate, our algorithm outputs the captured abnormal state.
The detection algorithm we use in our approach is summa-rized in Algorithm 2.
Algorithm 2: Anomalous Behavior DetectionData: Original behavior model and test behaviorResult: Abnormal behavior detection result
1 given original behavior model M and testing behavior Σ′, let thenumber of states in M , ||S|| = n and the number of events ||Σ′|| = e′.
2 Stack.init()3 let the current state s← s04 foreach σ′i ∈ Σ′ in temporal sequence, 0 ≤ i ≤ e′ do5 if (σ′i is a function enter event or σ′i is a UI event) and ∃ state st
s.t. st = δ(s, σ′i) then6 Stack.push(s)7 s← st
8 else if σ′i is a function exit event then9 s← Stack.pop()
10 else11 report abnormal state.
12 i← i+ 1
V. IMPLEMENTATION
We have implemented our solution targeting hybrid Androidapplications which use PhoneGap as the bridge.
A. Intercepting Function Activation
We leverage the mechanism of the exception handling in V8to extract function-activation information. For every exception,
V8 records the function information, i.e., function name, filepath and line number, where the exception is thrown. Weintercept and rewrite the JavaScript code of the apps, suchthat it throws an exception in every function. In this way, weget the function call stack during the execution of the rewrittencode. The call stack will then be used as the context of apps’behaviors. We used two third-party software to assist rewritingJavaScript code, JXcore [55] and AST-query [56]. JXcore is aJavaScript runtime environment which enables AST-query torun. AST-query reads JavaScript code and rewrites it accordingto our instructions.
Specifically, for every JavaScript function of a given app, thedynamic rewriter inserts code to get the JavaScript call stackat the beginning of the function and log the entering eventof the function, and appends the code to log the exit eventat the end of the function. The call stack contains functionname (which is used as the state identifier), file path and linenumber (which is used as the state attribute). It also containsthe function’s caller (which is the trigger of state transition).
In the source code of Android, the function evaluate()(which is in the source file WebCore/bindings/v8/V8Proxy.cpp)is where WebView starts to execute JavaScript code. Wemodify this function to intercept and rewrite JavaScript codebefore passing the instrumented code to V8.
B. Extracting System Events
The event extractor monitors and records the APIs invokedby the app. In the WebKit component of the Android system,we instrument hooks to extract the function information.More specifically, for the app’s local behaviors triggeredby calling certain PhoneGap APIs, we modify the functionnpObjectInvokeImpl() in the source file WebCore/bind-ing/v8/V8NPObject.cpp to extract the API calls made byPhoneGap, as well as the corresponding system resourcesthat the app requests. For the app’s network behaviors, wemodify the function createRequest() in the source fileWebCore/xml/XMLHttpRequest.cpp where the XML HTTPrequests are generated, to extract the information about Ajaxrequests.
VI. EVALUATION
In this section, we evaluate the effectiveness and perfor-mance of our solution.
A. Effectiveness
In order to evaluate the effectiveness of our solution, wedeploy our approach to model the behaviors of real-worldpopular hybrid Android apps, and demonstrate its capabilitiesin anomalous behavior detection with simulated code injectionattacks on those apps. We present two case studies showinghow injected behaviors are detected.
1) Case Study I: RewardingYourself: RewardingYour-self [57] is a hybrid app that tracks millage points of theloyalty program of users. The original behavior model for Re-wardingYourself is shown in Figure 6, where nodes are statesrepresented by related information of JavaScript functions in
6
Fig. 6: The RewardingYourself application and its originalbehavior model.
var pos = ’longitude:’ + position.coords.longitude + ’;latitude:’ +
position.coords.latitude;xmlhttp = new XMLHttpRequest(); //Send the
position to remote serverxmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
alert(’send message: ’ + pos);}
};xmlhttp.open(’GET’, ’http://192.168.0.106/info
.php?pos=’ + pos, true);xmlhttp.send();
}, function () {}, options);
">
Fig. 7: A snippet of malicious code which pops up locationinformation
the app, and the arrow from a state to another denotes thetransition between these two states. Our system also marksthe arrow with trigger which causes the state transition.
We use a malicious QR code, which embeds themalicious code shown in Figure 7. The attack willcause an alert box to be popped out with the locationinformation, shown in Figure 8. Under the contextinitial state, the attack causes new states suchas exec@geolocation@getCurrentPosition andexec@HTTPRequest@Get@http://192.168.0.106/info.php?msg=Longitude,116.372048.Latitude,39.892778.@true that deviates from thebehavior model. Our approach detects it and raises an alarmto prevent the behavior from being executed.
2) Case Study II: PhoneGapMega: PhoneGapMega [58]demonstrates features of PhoneGap APIs, which containsexamples of using almost all APIs of PhoneGap. A fragmentof the behavior model of PhoneGapMega is shown in Figure 9.
PhoneGapMega has the same type of vulnerabilities thatallows malicious code injection. Malicious JavaScript (shownin Figure 10) injected into a contact’s name can be executedin the app. When the app reads the malicious contact item, theinjected code will be executed. The result of the execution will
Fig. 8: The result of code injection attack to RewardingYour-self and the resulting functional call behaviors.
Fig. 9: The PhoneGapMega application and a fragment of theoriginal behavior model of PhoneGapMega.
read the whole contact list of the victim user and send themto a specific remote server. Shown in Figure 11, the attackhas new states that do not exist in the normal model, whichtriggers the alert of our detection.
B. Performance Evaluation
We build a test app that has the functionality of manipulatingcontacts and sending SMS. Instead of manually clicking onbuttons to trigger these functionalities, this test app automati-cally finishes the following two tasks:
1) loading app’s web page, while the dynamic rewriterrewrites the JavaScript code, and
2) adding a new contact, removing this newly added con-tact, searching the contact list, and sending SMS to thefirst contact member in the list, while the event extractorextracts the information about invoking correspondingPhoneGap APIs.
We run this app in two scenarios: one with pristine Androidsystem, another with our approach, and measure the timeit takes from when the app starts to when the above tasksfinishes. We repeat task 2) ten times to increase the timedifference between these two scenarios, and make the timemeasurement more accurate.
Table I illustrates the evaluation result, in which the webpage loading time is increased. However, since web pagesare often loaded once in the beginning of running an app,this amount of time increase is acceptable. In addition, thetime taken to invoke the PhoneGap APIs is increased slightly,which might not be noticed by the users at all. Above all,the performance overhead introduced by our approach isreasonable.
7
TABLE I: Performance Evaluation (in seconds).
Scenario No. Task 1 Time Task 2 Time Total TimeWeb Page Load PhoneGap API invoke
contact list to remote serverxmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
alert(xmlhttp.responseText);}
}xmlhttp.open(’GET’, ’http://192.168.0.106/info
.php?msg=’ + msg, true);xmlhttp.send();
}, function() {}, options);
"/>
Fig. 10: A snippet of malicious code which steals contacts
Fig. 11: The result of code injection attack to PhoneGapMegaand the corresponding function call behaviors.
C. Discussion of Limitation
The detection in our approach is based on function callrelationship and triggering events. Despite the effectivenessshown by the case studies, it is possible for attackers toinject the code and active it under the same condition as in
the original app. In such cases, our approach may miss theinjection within a target function. We take as future work todesign finer-grained behavior model to capture those low-levelinjection behaviors.
VII. CONCLUSION
Using JavaScript-based technologies to build mobile appsis a popular technique in the web and social network infras-tructure. However, the flexibility of the JavaScript languageintroduces new security challenges in these platforms. In thispaper, we propose to detect malicious JavaScript behaviorsin JavaScript applications. The behavior model captures anapplication’s behaviors as well as their function level executioninformation. Our prototype detection system can automaticallybuild the behavior models for hybrid apps to detect anomalousbehaviors. We demonstrate its effectiveness of anomalousbehaviors detection with case studies on real-world hybridapps. As a future work, we will investigate how our solutionscan be adopted by JavaScript applications in other domains,such as server-side applications and IoT solutions.Acknowledgment. This work was supported in part by the Na-tional Natural Science Foundation of China (No. 61402029),the National Natural Science Foundation of China (No.61370190), the National Natural Science Foundation of China(No. 61379002) and the Singapore Ministry of Educationunder National University of Singapore (NUS) Grant R-252-000-666-114, the Funding Project of Shanghai Key Laboratoryof Integrated Administration Technologies for InformationSecurity (no. AGK201708).
REFERENCES
[1] Z. Cai, Z. He, X. Guan, and Y. Li, “Collective data-sanitization forpreventing sensitive information inference attacks in social networks,”IEEE Transactions on Dependable and Secure Computing, pp. 1–9,2017.
[2] “Cross-site scripting (xss),” https://www.owasp.org/index.php/Cross-site Scripting (XSS), December 2015.
[3] X. Jin, T. Luo, D. G. Tsui, and W. Du, “Code injection attacks onhtml5-based mobile apps,” arXiv preprint arXiv:1410.7756, 2014.
[4] A. Castiglione, R. De Prisco, and A. De Santis, Do you trust your phone?Springer, 2009.
[5] A. Armando, A. Merlo, and L. Verderame, “An empirical evaluation ofthe android security framework,” in Security and Privacy Protection inInformation Processing Systems. Springer, 2013, pp. 176–189.
[6] V. Livshits and M. Lam, “Finding security errors in java program withstatic analysis,” in Proc. 14th Usenix Security Symposium, Baltimore,MD, USA, 2005.
8
[7] Y. Xie and A. Aiken, “Static detection of security vulnerabilities inscripting languages.” in USENIX Security, vol. 6, 2006, pp. 179–192.
[8] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis toolfor detecting web application vulnerabilities,” in Security and Privacy,2006 IEEE Symposium on. IEEE, 2006, pp. 6–pp.
[9] P. Bisht and V. Venkatakrishnan, “Xss-guard: precise dynamic preventionof cross-site scripting attacks,” in Detection of Intrusions and Malware,and Vulnerability Assessment. Springer, 2008, pp. 23–43.
[10] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, Au-tomatically hardening web applications using precise tainting. Springer,2005.
[11] T. Pietraszek and C. V. Berghe, “Defending against injection attacksthrough context-sensitive string evaluation,” in Recent Advances inIntrusion Detection. Springer, 2006, pp. 124–145.
[12] R. Sekar, “An efficient black-box technique for defeating web applicationattacks.” in NDSS, 2009.
[13] M. Johns, B. Engelmann, and J. Posegga, “Xssds: Server-side detec-tion of cross-site scripting attacks,” in Computer Security ApplicationsConference, 2008. ACSAC 2008. Annual. IEEE, 2008, pp. 335–344.
[15] M. Van Gundy and H. Chen, “Noncespaces: Using randomizationto enforce information flow tracking and thwart cross-site scriptingattacks.” in NDSS, 2009.
[16] X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri, “Code injectionattacks on html5-based mobile apps: Characterization, detection andmitigation,” in Proceedings of the 2014 ACM SIGSAC Conference onComputer and Communications Security. ACM, 2014, pp. 66–77.
[17] R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, “A fast automaton-based method for detecting anomalous program behaviors,” in Proceed-ings of the 2001 IEEE Symposium on Security and Privacy (S&P’01),May 2001.
[18] H. H. Feng, O. M. Kolesnikov, P. Fogla, W. Lee, and W. Gong,“Anomaly detection using call stack information,” in Proceedings ofthe 2003 IEEE Symposium on Security and Privacy, ser. SP ’03.Washington, DC, USA: IEEE Computer Society, 2003, pp. 62–.[Online]. Available: http://dl.acm.org/citation.cfm?id=829515.830554
[19] A. Guha, S. Krishnamurthi, and T. Jim, “Using static analysis forajax intrusion detection,” in Proceedings of the 18th InternationalConference on World Wide Web, ser. WWW ’09. New York,NY, USA: ACM, 2009, pp. 561–570. [Online]. Available: http://doi.acm.org/10.1145/1526709.1526785
[20] X. Dong, K. Patil, J. Mao, and Z. Liang, “A comprehensive client-sidebehavior model for diagnosing attacks in ajax applications,” in Engineer-ing of Complex Computer Systems (ICECCS), 2013 18th InternationalConference on, July 2013, pp. 177–187.
[21] “Phonegap official site,” http://phonegap.com/, Januray 2015.[22] M. Georgiev, S. Jana, and V. Shmatikov, “Breaking and fixing origin-
based access control in hybrid web/mobile application frameworks,” inNDSS symposium, vol. 2014. NIH Public Access, 2014, p. 1.
[23] X. Jin, L. Wang, T. Luo, and W. Du, “Fine-grained access control forhtml5-based mobile applications in android,” in Proceedings of the 16thInformation Security Conference (ISC), 2013.
[24] S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, “A senseof self for Unix processes,” 1996.
[25] J. Mao, R. Wang, Y. Chen, and Y. Jia, “Detecting injected behaviorsin html5-based android applications,” Journal of High Speed Networks,vol. 22, no. 1, pp. 15–34, 2016.
[26] J. Mao, R. Wang, Y. Chen, Y. Xiao, Y. Jia, and Z. Liang, “A function-level behavior model for anomalous behavior detection in hybrid mobileapplications,” in Proceedings of the 2016 International Conference onIdentification, Information & Knowledge in the Internet of Things, 2016.
[27] “Wiki on the same-origin policy,” https://en.wikipedia.org/wiki/Same-origin policy, January 2015.
[29] G. Wassermann and Z. Su, “Static detection of cross-site scriptingvulnerabilities,” in Software Engineering, 2008. ICSE’08. ACM/IEEE30th International Conference on. IEEE, 2008, pp. 171–180.
[30] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda,C. Kruegel, and G. Vigna, “Saner: Composing static and dynamicanalysis to validate sanitization in web applications,” in Security andPrivacy, 2008. SP 2008. IEEE Symposium on. IEEE, 2008, pp. 387–401.
[31] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, “Noxes: a client-sidesolution for mitigating cross-site scripting attacks,” in Proceedings ofthe 2006 ACM symposium on Applied computing. ACM, 2006, pp.330–337.
[32] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna,“Cross site scripting prevention with dynamic data tainting and staticanalysis.” in NDSS, 2007.
[33] Y. Nadji, P. Saxena, and D. Song, “Document structure integrity: Arobust basis for cross-site scripting defense.” in NDSS, 2009.
[34] M. T. Louw and V. Venkatakrishnan, “Blueprint: Robust preventionof cross-site scripting attacks for existing browsers,” in Security andPrivacy, 2009 30th IEEE Symposium on. IEEE, 2009, pp. 331–346.
[35] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir,“Browsershield: Vulnerability-driven filtering of dynamic html,” ACMTransactions on the Web (TWEB), vol. 1, no. 3, p. 11, 2007.
[36] D. Yu, A. Chander, N. Islam, and I. Serikov, “Javascript instrumentationfor browser security,” in ACM SIGPLAN Notices, vol. 42, no. 1. ACM,2007, pp. 237–249.
[37] “Microsoft web sandbox,” websandbox.livelabs.com/, December 2015.[38] “Google caja,” https://code.google.com/p/google-caja/, December 2015.[39] S. Lekies, B. Stock, and M. Johns, “25 million flows later: large-scale
detection of dom-based xss,” in Proceedings of the 2013 ACM SIGSACconference on Computer & communications security. ACM, 2013, pp.1193–1204.
[40] B. Stock, S. Lekies, T. Mueller, P. Spiegel, and M. Johns, “Precise client-side protection against dom-based cross-site scripting,” in Proceedingsof the 23rd USENIX security symposium, 2014, pp. 655–670.
[41] I. Parameshwaran, E. Budianto, S. Shinde, H. Dang, A. Sadhu, andP. Saxena, “Auto-patching dom-based xss at scale,” Foundations ofSoftware Engineering (FSE), 2015.
[42] ——, “Dexterjs: robust testing platform for dom-based xss vulnerabili-ties,” in Proceedings of the 2015 10th Joint Meeting on Foundations ofSoftware Engineering. ACM, 2015, pp. 946–949.
[43] E. Budianto, Y. Jia, X. Dong, P. Saxena, and Z. Liang, “You cant beme: Enabling trusted paths and user sub-origins in web browsers,” inResearch in Attacks, Intrusions and Defenses. Springer, 2014, pp. 150–171.
[44] X. Dong, Z. Chen, H. Siadati, S. Tople, P. Saxena, and Z. Liang,“Protecting sensitive web content from client-side vulnerabilities withcryptons,” in Proceedings of the 2013 ACM SIGSAC conference onComputer & communications security. ACM, 2013, pp. 1311–1324.
[45] D. Akhawe, F. Li, W. He, P. Saxena, and D. Song, “Data-confined html5applications,” in Computer Security–ESORICS 2013. Springer, 2013,pp. 736–754.
[46] X. Dong, M. Tran, Z. Liang, and X. Jiang, “Adsentry: comprehensive andflexible confinement of javascript-based advertisements,” in Proceedingsof the 27th Annual Computer Security Applications Conference. ACM,2011, pp. 297–306.
[47] Y. Cao, V. Yegneswaran, P. A. Porras, and Y. Chen, “Pathcutter:Severing the self-propagation path of xss javascript worms in socialweb networks.” in NDSS, 2012.
[48] D. Akhawe, P. Saxena, and D. Song, “Privilege separation in html5applications,” in Proceedings of the 21st USENIX conference on Securitysymposium. USENIX Association, 2012, pp. 23–23.
[49] L. Backstrom, C. Dwork, and J. Kleinberg, “Wherefore art thou r3579x?:anonymized social networks, hidden patterns, and structural steganog-raphy,” in Proceedings of the 16th international conference on WorldWide Web. ACM, 2007, pp. 181–190.
[50] E. Zheleva and L. Getoor, “To join or not to join: the illusion ofprivacy in social networks with mixed public and private user profiles,”in Proceedings of the 18th international conference on World wide web.ACM, 2009, pp. 531–540.
[51] M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and C. Kruegel,“Abusing social networks for automated user profiling,” in RecentAdvances in Intrusion Detection. Springer, 2010, pp. 422–441.
[52] A. Chaabane, G. Acs, M. A. Kaafar et al., “You are what you like!information leakage through users interests,” in Proceedings of the 19thAnnual Network & Distributed System Security Symposium (NDSS),2012.
[53] “Rhomobile official site,” http://rhomobile.com/, April 2015.[54] “Appcelerator official site,” http://www.appcelerator.com/, February
2015.[55] “Jxcore,” https://github.com/jxcore/jxcore, December 2015.[56] “Ast-query,” https://github.com/SBoudrias/ast-query, December 2015.[57] “Rewarding yourself,” https://play.google.com/store/apps/details?id=
com.loyaltymatch.rewardingyourself, May 2014.
9
[58] “Phonegap mega,” https://play.google.com/store/apps/details?id=com.camden.phonegapmega, June 2014.
Jian Mao received her B.S. degree and Ph.D. degreefrom Xidian University, Shanxi, China. She is anassistant professor in School of Electronic and In-formation Engineering, Beihang University, Beijing,China. Her research interests include cloud security,web security, and mobile security.
Jingdong Bian received his B.S. degree in Elec-tronic and Information Engineering from Jilin Uni-versity, Jilin, China in 2016 and currently he is amaster student in Electronic and Information En-gineering from Beihang University, Beijing, China.His research interests include web security, mobilesecurity and privacy analysis.
Guangdong Bai received Bachelor and Master de-grees in computing science from Peking University,China in 2008 and 2011. In 2015, he receivedPhD degrees in computing science from NationalUniversity of Singapore (NUS) and worked as apostdoctoral Research Fellow there. He has been afaculty member of Singapore Institute of Technology(SIT) since 2016. His research interests includemobile security, protocol verification, and formalmethods on security.
Ruilong Wang received the B.S. and M.S. degreein Electronic and Information Engineering from Bei-hang University, Beijing, China in 2013 and 2016.His research interests include software security, websecurity, mobile security and program analysis.
Yue Chen received the B.S. and M.S. degree in Elec-tronic and Information Engineering from BeihangUniversity, Beijing, China in 2012 and 2016. Hisresearch interests include web security and mobilesecurity.
Yinhao Xiao is currently a Ph.D candidate at theDepartment of Computer Science of The GeorgeWashington University. He received his bachelordegree in Information and Computing Science fromGuangdong University of Technology in 2012, andmaster degrees in Applied Mathematics and in Com-puter Science from The George Washington Uni-versity in 2014 and 2015, respectively. His researchinterests includes system security and social networkprivacy.
Zhenkai Liang is an Associate Professor in Depart-ment of Computer Science, National University ofSingapore. He received his B.S. degrees from PekingUniversity in 1999 and his Ph.D. degree from StonyBrook University in 2006. His research interestsinclude software security, web security, and mobilesecurity.
