short-paper

Open access

A First Look at Code Obfuscation for WebAssembly

Authors:

Shrenik Bhansali,

A. Selcuk UluagacAuthors Info & Claims

WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 2022

Pages 140 - 145

https://doi.org/10.1145/3507657.3528560

Published: 16 May 2022 Publication History

Abstract

WebAssembly (Wasm) has seen a lot of attention lately as it spreads through the mobile computing domain and becomes the new standard for performance-oriented web development. It has diversified its uses far beyond just web applications by acting as an execution environment for mobile agents, containers for IoT devices, and enabling new serverless approaches for edge computing. Within the numerous uses of Wasm, not all of them are benign. With the rise of Wasm-based cryptojacking malware, analyzing Wasm applications has been a hot topic in the literature, resulting in numerous Wasm-based cryptojacking detection systems. Many of these methods rely on static analysis, which traditionally can be circumvented through obfuscation. However, the feasibility of the obfuscation techniques for Wasm programs has never been investigated thoroughly. In this paper, we address this gap and perform the first look at code obfuscation for Wasm. We apply numerous obfuscation techniques to Wasm programs, and test their effectiveness in producing a fully obfuscated Wasm program. Particularly, we obfuscate both benign Wasm-based web applications and cryptojacking malware instances and feed them into a state-of-the-art Wasm cryptojacking detector to see if current Wasm analysis methods can be subverted with obfuscation. Our analysis shows that obfuscation can be highly effective and can cause even a state-of-the-art detector to misclassify the obfuscated Wasm samples.

References

[1]

Arini Balakrishnan and Chloe Schulze. 2005. Code obfuscation literature survey. CS701 Construction of compilers, Vol. 19 (2005).

[2]

Chandan Kumar Behera and D Lalitha Bhaskari. 2015. Different obfuscation techniques for code protection. Procedia Computer Science, Vol. 70 (2015), 757--763.

[3]

Weikang Bian, Wei Meng, and Mingxue Zhang. 2020. Minethrottle: Defending against wasm in-browser cryptojacking. In Proceedings of The Web Conference 2020. 3112--3118.

Digital Library

[4]

Christian Collberg, Sam Martin, Jonathan Myers, Bill Zimmerman, Petr Krajca, Gabriel Kerneis, Saumya Debray, and Babak Yadegari. 2022. The Tigress Obfuscator. https://tigress.wtf. [Online; accessed 4-April-2022].

[5]

Monero Documentation. 2013. CryptoNight. https://monerodocs.org/proof-of-work/cryptonight/. accessed: 2022-02-12.

[6]

Radhesh Krishnan Konoth, Emanuele Vineti, Veelasha Moonsamy, Martina Lindorfer, Christopher Kruegel, Herbert Bos, and Giovanni Vigna. 2018. Minesweeper: An in-depth look into drive-by cryptocurrency mining and its defense. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1714--1730.

Digital Library

[7]

Timea László and Ákos Kiss. 2009. Obfuscating Cprograms via control flow flattening. Annales Universitatis Scientarum Budapestinensis de Rolando Eötvös Nominatae, Sectio Computatorica, Vol. 30, 1 (2009), 3--19.

[8]

Daniel Lehmann, Johannes Kinder, and Michael Pradel. 2020. Everything old is new again: Binary security of webassembly. In 29th USENIX Sec. Symp. 217--234.

[9]

Daniel Lehmann and Michael Pradel. 2019. Wasabi: A framework for dynamically analyzing webassembly. In Proceedings of the 24th Int. Conf. on Architectural Support for Programming Languages and Operating Systems. 1045--1058.

Digital Library

[10]

MDN. 2021. WebAssembly Concepts. https://developer.mozilla.org/en-US/docs/WebAssembly/Concepts. [Online; accessed 10-November-2021].

[11]

Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck. 2019. New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild. In Int. Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment.

[12]

Faraz Naseem, Ahmet Aris, Leonardo Babun, Ege Tekiner, and A Selcuk Uluagac. 2021 a. Minos*: A lightweight real-time cryptojacking detection system. In Network and Distributed Systems Security (NDSS) Symposium. 21--25.

[13]

F. Naseem, A. Aris, L. Babun, E. Tekiner, and A. S. Uluagac. 2021 b. MINOS: A Lightweight Real-Time Cryptojacking Detection System. In NDSS.

[14]

Harun Oz, Ahmet Aris, Albert Levi, and A. Selcuk Uluagac. 2022. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. (jan 2022). https://doi.org/10.1145/3514229

Digital Library

[15]

Alan Romano, Daniel Lehmann, Michael Pradel, and Weihang Wang. 2022. Wobfuscator: Obfuscating JavaScript Malware via Opportunistic Translation to WebAssembly. In Proceedings of the 2022 IEEE Symposium on Security and Privacy.

[16]

Golam Sarwar, Olivier Mehani, Roksana Boreli, and Mohamed Ali Kaafar. 2013. On the Effectiveness of Dynamic Taint Analysis for Protecting against Private Information Leaks on Android-based Devices. In SECRYPT, Vol. 96435.

[17]

S. Schrittwieser and S. Katzenbeisser. 2011. Code obfuscation against static and dynamic reverse engineering. In Int. workshop on information hiding. Springer.

[18]

E. Tekiner, A. Acar, A. S. Uluagac, E. Kirda, and A. A. Selcuk. 2021 a. In-Browser Cryptomining for Good: An Untold Story. In 2021 IEEE Int. Conf. on Decentralized Applications and Infrastructures (DAPPS). 20--29.

[19]

E. Tekiner, A. Acar, A. S. Uluagac, E. Kirda, and A. A. Selcuk. 2021 b. SoK: Cryptojacking Malware. In 2021 IEEE European Symposium on Security and Privacy.

[20]

Conrad Watt. 2018. Mechanising and verifying the webassembly specification. In Proceedings of the 7th ACM SIGPLAN Int. Conf. on certified programs and proofs. 53--65.

Digital Library

[21]

Jun Ye. 2011. Cosine similarity measures for intuitionistic fuzzy sets and their applications. Mathematical and computer modelling, Vol. 53, 1--2 (2011), 91--97.

Cited By

Harnes HMorrison D(2024)SoK: Analysis Techniques for WebAssemblyFuture Internet10.3390/fi1603008416:3(84)Online publication date: 29-Feb-2024
https://doi.org/10.3390/fi16030084
Jin HLee JYang SKim KLee D(2024)A Framework to Quantify the Quality of Source Code ObfuscationApplied Sciences10.3390/app1412505614:12(5056)Online publication date: 10-Jun-2024
https://doi.org/10.3390/app14125056
Oz HAcar AAris ATuncay GKharraz AUluagac SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)(In)Security of File Uploads in Node.jsProceedings of the ACM on Web Conference 202410.1145/3589334.3645342(1573-1584)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645342
Show More Cited By

Index Terms

A First Look at Code Obfuscation for WebAssembly
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Software and application security
    1. Software security engineering

Recommendations

WebAssembly diversification for malware evasion
Abstract
WebAssembly has become a crucial part of the modern web, offering a faster alternative to JavaScript in browsers. While boosting rich applications in browser, this technology is also very efficient to develop cryptojacking malware. ...
Read More
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...
Read More
MineThrottle: Defending against Wasm In-Browser Cryptojacking
WWW '20: Proceedings of The Web Conference 2020

In-browser cryptojacking is an urgent threat to web users, where an attacker abuses the users’ computing resources without obtaining their consent. In-browser mining programs are usually developed in WebAssembly (Wasm) for its great performance. Several ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 2022

314 pages

ISBN:9781450392167

DOI:10.1145/3507657

General Chair:
Murtuza Jadliwala
University of Texas at San Antonio, San Antonio, Texas, USA
,
Program Chairs:
Yongdae Kim
Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South Korea
,
Alexandra Dmitrienko
University of Würzburg, Würzburg, Germany

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 May 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

NSF (National Science Foundation)

Conference

WiSec '22

Sponsor:

WiSec '22: 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 16 - 19, 2022

TX, San Antonio, USA

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
1,261
Total Downloads

Downloads (Last 12 months)555
Downloads (Last 6 weeks)49

Other Metrics

View Author Metrics

Citations

Cited By

Harnes HMorrison D(2024)SoK: Analysis Techniques for WebAssemblyFuture Internet10.3390/fi1603008416:3(84)Online publication date: 29-Feb-2024
https://doi.org/10.3390/fi16030084
Jin HLee JYang SKim KLee D(2024)A Framework to Quantify the Quality of Source Code ObfuscationApplied Sciences10.3390/app1412505614:12(5056)Online publication date: 10-Jun-2024
https://doi.org/10.3390/app14125056
Oz HAcar AAris ATuncay GKharraz AUluagac SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)(In)Security of File Uploads in Node.jsProceedings of the ACM on Web Conference 202410.1145/3589334.3645342(1573-1584)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645342
Mekdad YNaseem FAris AOz HAcar ABabun LUluagac STuncay GGhani N(2024)On the Robustness of Image-Based Malware Detection Against Adversarial AttacksNetwork Security Empowered by Artificial Intelligence10.1007/978-3-031-53510-9_13(355-375)Online publication date: 24-Feb-2024
https://doi.org/10.1007/978-3-031-53510-9_13
Ray P(2023)An Overview of WebAssembly for IoT: Background, Tools, State-of-the-Art, Challenges, and Future DirectionsFuture Internet10.3390/fi1508027515:8(275)Online publication date: 18-Aug-2023
https://doi.org/10.3390/fi15080275
Kılıç ESandıkkaya M(2023)Obfuscated JavaScript Code Detection using Machine Learning with AST-based Syntactic and Lexical Analysis2023 8th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech58164.2023.10193211(1-6)Online publication date: 20-Jun-2023
https://doi.org/10.23919/SpliTech58164.2023.10193211
Zhang YCao SWang HChen ZLuo XMu DMa YHuang GLiu X(2023)Characterizing and Detecting WebAssembly Runtime BugsACM Transactions on Software Engineering and Methodology10.1145/362474333:2(1-29)Online publication date: 21-Dec-2023
https://dl.acm.org/doi/10.1145/3624743
Toufie ZKabaso B(2023)The Next Evolution of Web Browser Execution Environment Performance2023 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD)10.1109/icABCD59051.2023.10220564(1-7)Online publication date: 3-Aug-2023
https://doi.org/10.1109/icABCD59051.2023.10220564
Franco JAcar AAris AUluagac S(2023)Forensic Analysis of Cryptojacking in Host-Based Docker Containers Using HoneypotsICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278764(4860-4865)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10278764
Tekin NAcar AAris AUluagac AGungor V(2023)Energy consumption of on-device machine learning models for IoT intrusion detectionInternet of Things10.1016/j.iot.2022.10067021(100670)Online publication date: Apr-2023
https://doi.org/10.1016/j.iot.2022.100670
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents