Uma Estratégia Dinâmica para a Detecção de Anomalias em Binários WebAssembly
Abstract
WebAssembly is a low-level binary format that provides a compilation target for high-level languages. Offering more security for users on the web, with a binary instruction format, WebAssembly is supported by over 95% of web browsers. However, the growth in the use of WebAssembly has raised concerns regarding its security and possibility of malicious use. Given that WebAssemby is a low-level instruction format, it is essential to identify the purpose of the developed codes, by extracting their features. The use of WebAssembly for cryptojacking attacks and malicious code obfuscation is somewhat frequent. In this context, this work presents a strategy for identifying anomalies in WebAssembly binaries, through feature extraction and static analysis. The strategy proposed here achieved an f1score of 99.3%, highlighting its potential.
References
Alcorn, W., Frichot, C., and Orru, M. (2014). The Browser Hacker’s Handbook. John Wiley & Sons.
Balakrishnan, A. and Schulze, C. (2005). Code obfuscation literature survey. CS701 Construction of Compilers, 19.
Bandhakavi, S., King, S. T., Madhusudan, P., and Winslett, M. (2010). {VEX}: Vetting browser extensions for security vulnerabilities. In 19th USENIX Security Symposium (USENIX Security 10).
Bian, W., Meng, W., and Zhang, M. (2020). MineThrottle: Defending against Wasm in-browser cryptojacking. In Proceedings of the 29th The Web Conference, pages 3112–3118, Taipei, Taiwan. ACM.
Bosamiya, J., Lim, W. S., and Parno, B. (2022). Provably-Safe multilingual software sandboxing using WebAssembly. In Proceedings of the 31st USENIX Security Symposium, pages 1975–1992, Boston, MA, USA. USENIX Association.
Botacin, M., Domingues, F. D., Ceschin, F., Machnicki, R., Alves, M. A. Z., de Geus, P. L., and Grégio, A. (2022). Antiviruses under the microscope: A hands-on perspective. Computers & Security, 112:102500.
Brito, T., Lopes, P., Santos, N., and Santos, J. F. (2022). Wasmati: An efficient static vulnerability scanner for WebAssembly. Computers & Security, 118:102745.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Detecçao de anomalias: Estudo de técnicas de identificaçao de ataques em um ambiente de contêiner. In Anais Estendidos do XX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 169–182. SBC.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In 26th IEEE Symposium on Computers and Communications (ISCC 2021).
Ceschin, F., Gomes, H. M., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., and Grégio, A. (2020). Machine learning (in) security: A stream of problems. CoRR, abs/2010.16045.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):1–58.
Delendik, Y. (2020). DWARF for WebAssembly. [link].
Falliere, N. (2018). Reverse engineering WebAssembly. [link].
Galante, L., Botacin, M., Grégio, A., and de Geus, P. (2019). Forseti: Extração de características e classificação de binários elf. In Anais Estendidos do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 5–10. SBC.
Grosskurth, A. and Godfrey, M. W. (2006). Architecture and evolution of the modern web browser. Preprint submitted to Elsevier Science, 12(26):235–246.
Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Uso de chamadas WASI para a identificação de ameaças em aplicações webassembly. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC.
Hoffman, K. (2019). Programming webassembly with Rust: unified development for web, mobile, and embedded applications. Programming WebAssembly with Rust, pages 1–220.
Kim, M., Jang, H., and Shin, Y. (2022). Avengers, Assemble! survey of WebAssembly security solutions. In Proceedings of the 15th International Conference on Cloud Computing, pages 543–553, Barcelona, Spain. IEEE.
Kirchmayr, W., Moser, M., Nocke, L., Pichler, J., and Tober, R. (2016). Integration of static and dynamic code analysis for understanding legacy source code. In 2016 IEEE international conference on software maintenance and evolution (ICSME), pages 543–552. IEEE.
Lehmann, D., Kinder, J., and Pradel, M. (2020). Everything old is new again: Binary security of WebAssembly. In Proceedings of the 29th USENIX Security Symposium, pages 217–234, Boston, MA, USA. USENIX Association.
Lehmann, D. and Pradel, M. (2022). Finding the dwarf: Recovering precise types from WebAssembly binaries. In Proceedings of the 43rd International Conference on Programming Language Design and Implementation, pages 410–425, San Diego, CA, USA. ACM.
Lemos, R., Heinrich, T., Maziero, C. A., and Will, N. C. (2022). Is it safe? identifying malicious apps through the use of metadata and inter-process communication. In 2022 IEEE International Systems Conference (SysCon), pages 1–8. IEEE.
Lemos, R., Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Inspecting binder transactions to detect anomalies in android. In Proceedings of the 17th Annual IEEE International Systems Conference, Vancouver, BC, Canada. IEEE.
Liu, M., Xue, Z., Xu, X., Zhong, C., and Chen, J. (2018). Host-based intrusion detection system with system calls: Review and future trends. ACM Computing Surveys (CSUR), 51(5):98.
McFadden, B., Lukasiewicz, T., Dileo, J., and Engler, J. (2018). Security Chasms of Wasm. NCC Group Whitepaper.
Michael, A. E., Gollamudi, A., Bosamiya, J., Disselkoen, C., Denlinger, A., Watt, C., Parno, B., Patrignani, M., Vassena, M., and Stefan, D. (2022). Mswasm: Soundly enforcing memory-safe execution of unsafe code. arXiv preprint arXiv:2208.13583.
Naseem, F. N., Aris, A., Babun, L., Tekiner, E., and Uluagac, A. S. (2021). Minos: A lightweight real-time cryptojacking detection system. In Network and Distributed System Security Symposium (NDSS).
Quan, L., Wu, L., and Wang, H. (2019). Evulhunter: Detecting fake transfer vulnerabilities for eosio’s smart contracts at webassembly-level.(2019). arXiv preprint arXiv:1906.10362.
Romano, A., Lehmann, D., Pradel, M., and Wang, W. (2022). Wobfuscator: Obfuscating JavaScript malware via opportunistic translation to WebAssembly. In Proceedings of the 43rd Symposium on Security and Privacy, pages 1574–1589, San Francisco, CA, USA. IEEE.
Rossberg, A. (2018). Webassembly specification. [link].
Stiévenart, Q., Binkley, D., and De Roover, C. (2023). Dynamic slicing of webassembly binaries. In 39th IEEE International Conference on Software Maintenance and Evolution. IEEE.
Stiévenart, Q. and De Roover, C. (2020). Compositional information flow analysis for WebAssembly programs. In Proceedings of the 20th International Working Conference on Source Code Analysis and Manipulation, pages 13–24, Adelaide, Australia. IEEE.
Stiévenart, Q., De Roover, C., and Ghafari, M. (2022). Security risks of porting C programs to WebAssembly. In Proceedings of the 37th Symposium on Applied Computing, pages 1713–1722, Virtual Event. ACM.
Balakrishnan, A. and Schulze, C. (2005). Code obfuscation literature survey. CS701 Construction of Compilers, 19.
Bandhakavi, S., King, S. T., Madhusudan, P., and Winslett, M. (2010). {VEX}: Vetting browser extensions for security vulnerabilities. In 19th USENIX Security Symposium (USENIX Security 10).
Bian, W., Meng, W., and Zhang, M. (2020). MineThrottle: Defending against Wasm in-browser cryptojacking. In Proceedings of the 29th The Web Conference, pages 3112–3118, Taipei, Taiwan. ACM.
Bosamiya, J., Lim, W. S., and Parno, B. (2022). Provably-Safe multilingual software sandboxing using WebAssembly. In Proceedings of the 31st USENIX Security Symposium, pages 1975–1992, Boston, MA, USA. USENIX Association.
Botacin, M., Domingues, F. D., Ceschin, F., Machnicki, R., Alves, M. A. Z., de Geus, P. L., and Grégio, A. (2022). Antiviruses under the microscope: A hands-on perspective. Computers & Security, 112:102500.
Brito, T., Lopes, P., Santos, N., and Santos, J. F. (2022). Wasmati: An efficient static vulnerability scanner for WebAssembly. Computers & Security, 118:102745.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Detecçao de anomalias: Estudo de técnicas de identificaçao de ataques em um ambiente de contêiner. In Anais Estendidos do XX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 169–182. SBC.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In 26th IEEE Symposium on Computers and Communications (ISCC 2021).
Ceschin, F., Gomes, H. M., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., and Grégio, A. (2020). Machine learning (in) security: A stream of problems. CoRR, abs/2010.16045.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):1–58.
Delendik, Y. (2020). DWARF for WebAssembly. [link].
Falliere, N. (2018). Reverse engineering WebAssembly. [link].
Galante, L., Botacin, M., Grégio, A., and de Geus, P. (2019). Forseti: Extração de características e classificação de binários elf. In Anais Estendidos do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 5–10. SBC.
Grosskurth, A. and Godfrey, M. W. (2006). Architecture and evolution of the modern web browser. Preprint submitted to Elsevier Science, 12(26):235–246.
Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Uso de chamadas WASI para a identificação de ameaças em aplicações webassembly. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC.
Hoffman, K. (2019). Programming webassembly with Rust: unified development for web, mobile, and embedded applications. Programming WebAssembly with Rust, pages 1–220.
Kim, M., Jang, H., and Shin, Y. (2022). Avengers, Assemble! survey of WebAssembly security solutions. In Proceedings of the 15th International Conference on Cloud Computing, pages 543–553, Barcelona, Spain. IEEE.
Kirchmayr, W., Moser, M., Nocke, L., Pichler, J., and Tober, R. (2016). Integration of static and dynamic code analysis for understanding legacy source code. In 2016 IEEE international conference on software maintenance and evolution (ICSME), pages 543–552. IEEE.
Lehmann, D., Kinder, J., and Pradel, M. (2020). Everything old is new again: Binary security of WebAssembly. In Proceedings of the 29th USENIX Security Symposium, pages 217–234, Boston, MA, USA. USENIX Association.
Lehmann, D. and Pradel, M. (2022). Finding the dwarf: Recovering precise types from WebAssembly binaries. In Proceedings of the 43rd International Conference on Programming Language Design and Implementation, pages 410–425, San Diego, CA, USA. ACM.
Lemos, R., Heinrich, T., Maziero, C. A., and Will, N. C. (2022). Is it safe? identifying malicious apps through the use of metadata and inter-process communication. In 2022 IEEE International Systems Conference (SysCon), pages 1–8. IEEE.
Lemos, R., Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2023). Inspecting binder transactions to detect anomalies in android. In Proceedings of the 17th Annual IEEE International Systems Conference, Vancouver, BC, Canada. IEEE.
Liu, M., Xue, Z., Xu, X., Zhong, C., and Chen, J. (2018). Host-based intrusion detection system with system calls: Review and future trends. ACM Computing Surveys (CSUR), 51(5):98.
McFadden, B., Lukasiewicz, T., Dileo, J., and Engler, J. (2018). Security Chasms of Wasm. NCC Group Whitepaper.
Michael, A. E., Gollamudi, A., Bosamiya, J., Disselkoen, C., Denlinger, A., Watt, C., Parno, B., Patrignani, M., Vassena, M., and Stefan, D. (2022). Mswasm: Soundly enforcing memory-safe execution of unsafe code. arXiv preprint arXiv:2208.13583.
Naseem, F. N., Aris, A., Babun, L., Tekiner, E., and Uluagac, A. S. (2021). Minos: A lightweight real-time cryptojacking detection system. In Network and Distributed System Security Symposium (NDSS).
Quan, L., Wu, L., and Wang, H. (2019). Evulhunter: Detecting fake transfer vulnerabilities for eosio’s smart contracts at webassembly-level.(2019). arXiv preprint arXiv:1906.10362.
Romano, A., Lehmann, D., Pradel, M., and Wang, W. (2022). Wobfuscator: Obfuscating JavaScript malware via opportunistic translation to WebAssembly. In Proceedings of the 43rd Symposium on Security and Privacy, pages 1574–1589, San Francisco, CA, USA. IEEE.
Rossberg, A. (2018). Webassembly specification. [link].
Stiévenart, Q., Binkley, D., and De Roover, C. (2023). Dynamic slicing of webassembly binaries. In 39th IEEE International Conference on Software Maintenance and Evolution. IEEE.
Stiévenart, Q. and De Roover, C. (2020). Compositional information flow analysis for WebAssembly programs. In Proceedings of the 20th International Working Conference on Source Code Analysis and Manipulation, pages 13–24, Adelaide, Australia. IEEE.
Stiévenart, Q., De Roover, C., and Ghafari, M. (2022). Security risks of porting C programs to WebAssembly. In Proceedings of the 37th Symposium on Applied Computing, pages 1713–1722, Virtual Event. ACM.
Published
2023-09-18
How to Cite
HELPA, Calebe; HEINRICH, Tiago; BOTACIN, Marcus; WILL, Newton C.; OBELHEIRO, Rafael R.; MAZIERO, Carlos A..
Uma Estratégia Dinâmica para a Detecção de Anomalias em Binários WebAssembly. In: BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 390-402.
DOI: https://doi.org/10.5753/sbseg.2023.233112.
