Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Cryptic Bytes: WebAssembly Obfuscation for Evading Cryptojacking Detection (2403.15197v1)

Published 22 Mar 2024 in cs.CR

Abstract: WebAssembly has gained significant traction as a high-performance, secure, and portable compilation target for the Web and beyond. However, its growing adoption has also introduced new security challenges. One such threat is cryptojacking, where websites mine cryptocurrencies on visitors' devices without their knowledge or consent, often through the use of WebAssembly. While detection methods have been proposed, research on circumventing them remains limited. In this paper, we present the most comprehensive evaluation of code obfuscation techniques for WebAssembly to date, assessing their effectiveness, detectability, and overhead across multiple abstraction levels. We obfuscate a diverse set of applications, including utilities, games, and crypto miners, using state-of-the-art obfuscation tools like Tigress and wasm-mutate, as well as our novel tool, emcc-obf. Our findings suggest that obfuscation can effectively produce dissimilar WebAssembly binaries, with Tigress proving most effective, followed by emcc-obf and wasm-mutate. The impact on the resulting native code is also significant, although the V8 engine's TurboFan optimizer can reduce native code size by 30\% on average. Notably, we find that obfuscation can successfully evade state-of-the-art cryptojacking detectors. Although obfuscation can introduce substantial performance overheads, we demonstrate how obfuscation can be used for evading detection with minimal overhead in real-world scenarios by strategically applying transformations. These insights are valuable for researchers, providing a foundation for developing more robust detection methods. Additionally, we make our dataset of over 20,000 obfuscated WebAssembly binaries and the emcc-obf tool publicly available to stimulate further research.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (80)
  1. Aligning gene expression time series with time warping algorithms. Bioinformatics, 17(6):495–508, 2001.
  2. Cyber Threat Alliance. The Illicit Cryptocurrency Mining Threat. https://cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf, 2018. [Accessed 25th Nov. 2022].
  3. Wasm-mutate: Fuzzing webassembly compilers with e-graphs. In E-Graph Research, Applications, Practices, and Human-factors Symposium, 2022.
  4. Crow: Code diversification for webassembly. arXiv preprint arXiv:2008.07185, 2020.
  5. Scalable comparison of JavaScript v8 bytecode traces. In Proceedings of the 11th ACM SIGPLAN International Workshop on Virtual Machines and Intermediate Languages. ACM, oct 2019.
  6. Jack Baker. Hacking WebAssembly Games with Binary Instrumentation. https://av.tib.eu/media/48379, June 2023. [Accessed 13. Jun. 2023].
  7. Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, dec 2016.
  8. A survey on heuristic malware detection techniques. In The 5th Conference on Information and Knowledge Technology. IEEE, may 2013.
  9. A First Look at Code Obfuscation for WebAssembly. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’22, page 140–145, New York, NY, USA, 2022. Association for Computing Machinery.
  10. MineThrottle: Defending against Wasm In-Browser Cryptojacking. In Proceedings of The Web Conference 2020, WWW ’20, page 3112–3118, New York, NY, USA, 2020. Association for Computing Machinery.
  11. Data tainting and obfuscation: Improving plausibility of incorrect taint. In 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, sep 2015.
  12. bytecodealliance. wasm-tools, May 2023. [Accessed 25. May 2023].
  13. Javier Cabrera Arteaga. Artificial Software Diversification for WebAssembly, 2022. Doctor thesis (CROW + MEWE).
  14. Webassembly diversification for malware evasion. Computers & Security, 131:103296, 2023.
  15. Joseph C Chen. Cryptocurrency Miner Script Found on AOL Ad Platform. https://www.trendmicro.com/en_us/research/18/d/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform.html, April 2018. [Accessed 16. May 2023].
  16. Ericka Chickowski. Container Supply Chain Attacks Cash In on Cryptojacking. Dark Reading, September 2022.
  17. Clang. clang: lib/Basic/Targets/WebAssembly.h Source File. https://clang.llvm.org/doxygen/Basic_2Targets_2WebAssembly_8h_source.html, May 2023. [Accessed 16. May 2023].
  18. Christian Collberg. Home. https://tigress.wtf, May 2023. [Accessed 24. May 2023].
  19. A taxonomy of obfuscating transformations. http://www.cs.auckland.ac.nz/staff-cgi-bin/mjd/csTRcgi.pl?serial, 01 1997.
  20. A comparison of static, dynamic, and hybrid analysis for malware detection. Journal of Computer Virology and Hacking Techniques, 13(1):1–12, dec 2015.
  21. Google Earth. Google Earth comes to more browsers, thanks to WebAssembly. Google Earth and Earth Engine, December 2021.
  22. EBay. WebAssembly at eBay: A Real-World Use Case. https://tech.ebayinc.com/engineering/webassembly-at-ebay-a-real-world-use-case, May 2019. [Accessed 16. May 2023].
  23. Emscripten. Main — Emscripten 3.1.26-git (dev) documentation. https://emscripten.org, November 2022. [Accessed 1 Dec. 2022].
  24. Ninon Eyrolles. Obfuscation with Mixed Boolean-Arithmetic Expressions: reconstruction , analysis and simplification tools. PhD thesis, Université Paris-Saclay, 2017.
  25. Fastly. Fastly Docs. https://docs.fastly.com/products/compute-at-edge, May 2022. [Accessed 23. Nov. 2022].
  26. Figma. Figma is powered by WebAssembly. https://www.figma.com/blog/webassembly-cut-figmas-load-time-by-3x, June 2017. [Accessed 16. May 2023].
  27. The Rust Foundation. WebAssembly. https://www.rust-lang.org/what/wasm, May 2023. [Accessed 16. May 2023].
  28. Matryoshka: Strengthening software protection via nested virtual machines. In 2015 IEEE/ACM 1st International Workshop on Software Protection. IEEE, may 2015.
  29. GitHub. (wasm2c) Re-compiling to WASM. https://github.com/WebAssembly/wabt/issues/1950#issuecomment-1455110508, June 2023. [Accessed 13. Jun. 2023].
  30. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, December 2014.
  31. Google. WebAssembly compilation pipeline ⋅⋅\cdot⋅ V8. https://v8.dev/docs/wasm-compilation-pipeline, May 2023. [Accessed 16. May 2023].
  32. Maurice H Halstead. Elements of Software Science (Operating and programming systems series). Elsevier Science Inc., 1977.
  33. An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases. In Proceedings of the Web Conference 2021, WWW ’21, page 2696–2708, New York, NY, USA, 2021. Association for Computing Machinery.
  34. Obfuscator-llvm–software protection for the masses. In 2015 ieee/acm 1st international workshop on software protection, pages 3–9. IEEE, 2015.
  35. Pinpointing and hiding surprising fragments in an obfuscated program. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop. ACM, dec 2015.
  36. Outguard: Detecting In-Browser Covert Cryptocurrency Mining in the Wild. In The World Wide Web Conference on - WWW '19. ACM Press, 2019.
  37. Dmitry Kondratyev. The state of cryptojacking in the first three quarters of 2022. Kaspersky, November 2022.
  38. Shannon Liao. UNICEF wants you to mine cryptocurrency for charity. Verge, April 2018.
  39. An anti-reverse engineering technique using native code and obfuscator-LLVM for android applications. In Proceedings of the International Conference on Research in Adaptive and Convergent Systems. ACM, sep 2017.
  40. Aerogel: Lightweight Access Control Framework for WebAssembly-Based Bare-Metal IoT Devices. In 2021 IEEE/ACM Symposium on Edge Computing (SEC), pages 94–105. IEEE, 2021.
  41. The dark side of WebAssembly. Virus Bulletin, 2018.
  42. Madvex: Instrumentation-based adversarial attacks on machine learning malware detection. In Daniel Gruss, Federico Maggi, Mathias Fischer, and Michele Carminati, editors, Detection of Intrusions and Malware, and Vulnerability Assessment, pages 69–88, Cham, 2023. Springer Nature Switzerland.
  43. Pedro Daniel Rogeiro Lopes. Discovering vulnerabilities in webassembly with code property graphs . Técnico Lisboa, 2021. WASMATI (Master thesis/Specialization project).
  44. Searching for software diversity: attaining artificial diversity through program synthesis. In Proceedings of the 2016 New Security Paradigms Workshop, pages 80–91, 2016.
  45. T.J. McCabe. A complexity measure. IEEE Transactions on Software Engineering, SE-2(4):308–320, 1976.
  46. Anders Møller. Technical perspective: WebAssembly: A quiet revolution of the Web. Communications of the ACM, 61(12):106–106, 2018.
  47. Monero. Mining Monero. https://www.getmonero.org/get-started/mining, May 2023. [Accessed 16. May 2023].
  48. Monero. The Monero Project. https://www.getmonero.org, May 2023. [Accessed 16. May 2023].
  49. Jonathon Giffin Monirul Sharif, Andrea Lanzi and Wenke Lee. Impeding malware analysis using conditional code obfuscation. Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.
  50. Limits of static analysis for malware detection. In Twenty-Third Annual Computer Security Applications Conference ( ACSAC 2007). IEEE, dec 2007.
  51. New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 23–42. Springer, 2019.
  52. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Pearson Education, 2009.
  53. MINOS: A Lightweight Real-Time Cryptojacking Detection System. In NDSS, 2021.
  54. Cil: Intermediate language and tools for analysis and transformation of c programs. In Compiler Construction: 11th International Conference, CC 2002 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2002 Grenoble, France, April 8–12, 2002 Proceedings, pages 213–228. Springer, 2002.
  55. Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan notices, 42(6):89–100, 2007.
  56. Lindsey O’Donnell. Cryptojacking Attack Found on Los Angeles Times Website. Threatpost, February 2018.
  57. Generation: Evaluation of adversarial examples for malware obfuscation. In 2019 18th IEEE International Conference On Machine Learning And Applications (ICMLA). IEEE, dec 2019.
  58. Secure migration of WebAssembly-based mobile agents between secure enclaves. Master of Science in Technology Thesis, University of Turku, 2021.
  59. Jon Porter. Popular ‘cryptojacking’ service Coinhive will shut down next week. Verge, February 2019.
  60. Juan D. Parra Rodriguez and Joachim Posegga. RAPID: Resource and API-Based Detection Against In-Browser Miners. In Proceedings of the 34th Annual Computer Security Applications Conference. ACM, dec 2018.
  61. Wobfuscator: Obfuscating JavaScript Malware via Opportunistic Translation to WebAssembly. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1574–1589, 2022.
  62. WASim. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. ACM, dec 2020.
  63. MinerRay: Semantics-aware analysisfor ever-evolving cryptojacking detection. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. ACM, dec 2020.
  64. rustwasm. wasm-bindgen. https://github.com/rustwasm/wasm-bindgen, November 2022. [Accessed 23 Nov. 2022].
  65. Toward accurate dynamic time warping in linear time and space. Intelligent Data Analysis, 11(5):561–580, 2007.
  66. Fabian Scheidl. Valent-Blocks: Scalable high-performance compilation of WebAssembly bytecode for embedded systems. In 2020 International Conference on Computing, Electronics & Communications Engineering (iCCECE), pages 119–124. IEEE, 2020.
  67. Stratum. StratumV2. https://stratumprotocol.org, May 2023. [Accessed 18. May 2023].
  68. Power profiling and analysis of code obfuscation for embedded devices. In 2020 IEEE 17th India Council International Conference (INDICON ). IEEE, dec 2020.
  69. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, December 2013.
  70. Justin Thiel. An Overview of Software Performance Analysis Tools and Techniques: From GProf to DTrace. https://www.cse.wustl.edu/~jain/cse567-06/ftp/sw_monitors1/index.html, May 2023. [Accessed 30. May 2023].
  71. Iain Thomson. Pulitzer-winning website Politifact hacked to mine crypto-coins in browsers. The Register, January 2018.
  72. Verus. Verus - Truth and Privacy for All. https://verus.io, May 2023. [Accessed 16. May 2023].
  73. VirusTotal. VirusTotal - Home. https://www.virustotal.com/gui/home/upload, December 2022. [Accessed 2 Dec. 2022].
  74. World Wide Web Consortium (W3C). World Wide Web Consortium (W3C) brings a new language to the Web as WebAssembly becomes a W3C Recommendation. https://www.w3.org/2019/12/pressrelease-wasm-rec.html.en, November 2019. [Accessed 16 Nov. 2022].
  75. Leveraging WebAssembly for numerical JavaScript code virtualization. IEEE Access, 7:182711–182724, 2019.
  76. SEISMIC: SEcure in-lined script monitors for interrupting cryptojacks. In Computer Security, pages 122–142. Springer International Publishing, 2018.
  77. Wasmer. Wasmer - The Universal WebAssembly Runtime. https://wasmer.io, May 2023. [Accessed 16. May 2023].
  78. Ethereum WebAssembly. Ethereum WebAssembly (ewasm) - Ethereum WebAssembly. https://ewasm.readthedocs.io/en/mkdocs, January 2021. [Accessed 7. Nov. 2022].
  79. Chris Williams. UK ICO, USCourts.gov… Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned. The Register, February 2018.
  80. A survey on malware detection using data mining techniques. ACM Computing Surveys, 50(3):1–40, jun 2017.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (2)
  1. Håkon Harnes (2 papers)
  2. Donn Morrison (7 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now