JavaScript code protection method based on temporal diversity

doi:10.11772/j.issn.1001-9081.2015.01.0072

Journal of Computer Applications ›› 2015, Vol. 35 ›› Issue (1): 72-76.DOI: 10.11772/j.issn.1001-9081.2015.01.0072

Previous Articles Next Articles

JavaScript code protection method based on temporal diversity

FANG Dingyi^1,2, DANG Shufan^1,2, WANG Huaijun^1,2, DONG Hao^1,2, ZHANG Fan^2,3

1. School of Information Science and Technology, Northwest University, Xi'an Shaanxi 710127, China;
2. NWU-Irdeto Internet of Things and Infomation Security Joint Laboratory (Northwest University), Xi'an Shaanxi 710127, China;
3. Irdeto Access Technology (Beijing) Company Limited, Beijing 100125, China

Received:2014-07-25 Revised:2014-09-26 Online:2015-01-01 Published:2015-01-26

具有时间多样性的JavaScript代码保护方法

房鼎益^1,2, 党舒凡^1,2, 王怀军^1,2, 董浩^1,2, 张凡^2,3

1. 西北大学信息科学与技术学院, 西安710127;
2. 西北大学-爱迪德物联网信息安全联合实验室(西北大学), 西安710127;
3. 爱迪德技术(北京)有限公司, 北京100125

通讯作者: 党舒凡
作者简介:房鼎益(1959-),男,陕西汉中人,教授,博士,主要研究方向:网络与信息安全、软件安全与保护、无线传感器网络;党舒凡(1990-),女,陕西咸阳人,硕士研究生,主要研究方向:软件安全与保护、软件攻击;王怀军(1981-),男,山东滕州人,博士,主要研究方向:软件安全与保护、软件攻击及软件保护有效性评测;董浩(1989-),男,陕西西安人,硕士研究生,主要研究方向:软件安全与保护、软件攻击;张凡(1973-),男,陕西西安人,博士,主要研究方向:软件安全、数字内容保护.
基金资助:
国家自然科学基金资助项目(61202393);国家科技支撑计划项目(2013BAK01B02);陕西省教育厅产业化培育项目(2013JC07);陕西省自然科学基础研究计划项目(2012JQ8049).

Abstract

Abstract:

Web applications are under the threat from malicious host problem just as native applications. How to ensure the core algorithm or main business process's security of Web applications in browser-side has become a serious problem needed to be solved. For the problem of low effectiveness to resist dynamic analysis and cumulative attack in present JavaScript code protection methods, a JavaScript code Protection based on Temporal Diversity (TDJSP) method was proposed. In order to resist cumulative attack, the method firstly made the JavaScript program obtain the diverse ability in runtime by building program's diversity set and obfuscating its branch space. And then, it detected features of abnormal execution environments such as debuggers and emulations to improve the difficulty of dynamic analysis. The theoretical analyses and experimental results show that the method improves the ability of JavaScript program against the converse analysis. And the space growth rate is 3.1 (superior to JScrambler3) while the delay time is in millisecond level. Hence, the proposed method can protect Web applications effectively without much overhead.

Key words: Web application, JavaScript code protection, cumulative attack, temporal diversity, code obfuscation

摘要：

Web应用同本地应用一样面临恶意主机威胁.如何确保暴露于用户主机中的Web应用核心算法或关键业务流程等重要信息的安全成为亟待解决的问题.针对现有JavaScript代码保护方法难以抵御动态分析且抗累积攻击效果差的问题,提出了一种具有时间多样性的JavaScript代码保护(TDJSP)方法.首先,通过程序多样化处理和路径空间模糊化,使JavaScript程序在执行时具有多样性效果,以有效抵御累积攻击;其次,检测调试器、模拟器等非正常执行环境的特征,并根据检测结果进行响应,增加攻击者进行动态分析的难度.理论分析和实验结果表明,JavaScript程序的抗逆向分析能力得到了提高,同时,其空间增长率约为3.1(优于JScrambler3),时间延迟为毫秒级.因此,该方法能够在不影响程序性能的前提下提升Web应用的安全性.

关键词: Web应用, JavaScript代码保护, 累积攻击, 时间多样性, 代码混淆

CLC Number:

TP309
TP311

FANG Dingyi, DANG Shufan, WANG Huaijun, DONG Hao, ZHANG Fan. JavaScript code protection method based on temporal diversity[J]. Journal of Computer Applications, 2015, 35(1): 72-76.

房鼎益, 党舒凡, 王怀军, 董浩, 张凡. 具有时间多样性的JavaScript代码保护方法[J]. 计算机应用, 2015, 35(1): 72-76.

References

[1] FELMETSGER V, CAVEDON L, KRUEGEL C, et al. Toward automated detection of logic vulnerabilities in Web applications [C]// Proceedings of the 19th USENIX Security Symposium. Berkeley: USENIX Association, 2010: 143-160.
[2] XU W, ZHANG F, ZHU S. JStill: mostly static detection of obfuscated malicious JavaScript code [C]// Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. New York: ACM, 2013: 117-128.
[3] XU W, ZHANG F, ZHU S. The power of obfuscation techniques in malicious JavaScript code: a measurement study [C]// Proceedings of the 7th International Conference on Malicious and Unwanted Software. Piscataway: IEEE, 2012:9-16.
[4] COHEN F B. Operating system protection through program evolution [J]. Computers & Security, 1993, 12(6): 565-584.
[5] CHEN P-Y, KATARIA G, KRISHNAN R. Software diversity for information security [EB/OL]. [2014-06-06]. http://infosecon.net/workshop/pdf/47.pdf.
[6] XIN Z. Study on program diversity for software security [D]. Nanjing: Nanjing University, 2013.(辛知.程序多样性技术研究[D].南京:南京大学,2013.)
[7] COLLBERG C, NAGRA J. Surreptitious software: obfuscation, watermarking, and tamperproofing for software protection [M]. Boston: Addison-Wesley, 2009: 203-209.
[8] COLLBERG C, MARTIN S, MYERS J, et al. Distributed application tamper detection via continuous software updates [C]// Proceedings of the 28th Annual Computer Security Applications Conference. New York: ACM, 2012: 319-328.
[9] BERTHOLON B, VARRETTE S, BOUVRY P. JShadObf: a JavaScript obfuscator based on multi-objective optimization algorithms [M]. Berlin: Springer, 2013: 336-349.
[10] COLLBERG C. The case for dynamic digital asset protection techniques [EB/OL]. [2014-06-15]. http://www.irdeto-prod.com/documents/AC_Dynamic_vs_Static_Security_Prof_Collberg.pdf.
[11] COLLBERG C, DAVIDSON J W, GIACOBAZZI R, et al. Toward digital asset protection [J]. IEEE Intelligent Systems, 2011, 26(6): 8-13.
[12] ANCKAERT. Diversity for software protection [D]. Ghent:Ghent University, 2008.
[13] O'DONNELL A J, SETHU H. Software diversity as a defense against viral propagation: models and simulations [C]// Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation. Washington, DC: IEEE Computer Society, 2005: 247-253.
[14] COLLBERG C, THOMBORSON C, LOW D. A taxonomy of obfuscating transformations [R]. Auckland: University of Auckland, 1997.

[1]	WANG Shuyan, ZHENG Jiani, SUN Jiaze. Test case generation method for Web applications based on page object [J]. Journal of Computer Applications, 2020, 40(1): 212-217.
[2]	SUN Tianqi, HU Jianpeng, HUANG Juan, FAN Ying. Bandwidth resource prediction and management of Web applications hosted on cloud [J]. Journal of Computer Applications, 2020, 40(1): 181-187.
[3]	WANG Yan, HUANG Zhangjin, GU Naijie. Obfuscating algorithm based on congruence equation and improved flat control flow [J]. Journal of Computer Applications, 2017, 37(6): 1803-1807.
[4]	LIU Xiaoqiang, XIE Xiaomeng, DU Ming, CHANG Shan, CAI Lizhi, LIU Zhenyu. Automated parallel software test case generation for cloud testing [J]. Journal of Computer Applications, 2015, 35(4): 1159-1163.
[5]	JIANG Zifeng ZENG Guangyu WANG Wei GAO Hongbo. Research on implementation mechanism and detection technique of BIOS trapdoor [J]. Journal of Computer Applications, 2013, 33(02): 455-459.
[6]	QIN Zhiguang SONG Xu GENG Ji CHEN Wei. Markov-based survivability model for Web applications [J]. Journal of Computer Applications, 2013, 33(02): 400-403.
[7]	WENG Lei-lei CAI Wan-dongCAI YAO Ye. Research on pressor strategy of Web application system load testing [J]. Journal of Computer Applications, 2012, 32(10): 2973-2976.
[8]	Bin-wu HUI Ming-rui CHEN Deng-pan YANG. Research and application of performance test on Web application system [J]. Journal of Computer Applications, 2011, 31(07): 1769-1772.
[9]	. Approach to activity diagram model driven testing for Web applications [J]. Journal of Computer Applications, 2010, 30(9): 2365-2369.
[10]	. Functional testing method for Web applications based on TTCN-3 [J]. Journal of Computer Applications, 2010, 30(8): 2185-2188.
[11]	He-Gang Fu Lu Yan-Jun Gang Zeng. Web application test model based on action [J]. Journal of Computer Applications, 2009, 29(3): 695-699.
[12]	TANG Di-Bin Jin-Lin WANG Hong NI. Dynamic data storage scheme in CDN - UbDP [J]. Journal of Computer Applications, 2008, 28(8): 1991-1993.
[13]	Xun-Mei GU Hui-Qun YU. Improvement of full function point for Web-based applications [J]. Journal of Computer Applications, 2008, 28(12): 3098-3101.
[14]	Sheng Zhang Xiao-ling Bao. Comparison of XML compression techniques [J]. Journal of Computer Applications, 2008, 28(10): 2537-2540.
[15]	GuoDong Huang . Web application development approach supporting multi-target-frameworks [J]. Journal of Computer Applications, 2007, (12): 3092-3094.

JavaScript code protection method based on temporal diversity

具有时间多样性的JavaScript代码保护方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics