MJBlocker: A Lightweight and run-time malicious javascript extensions blocker

Pingjian Wang, Lei Wang, Ji Xiang, Peng Liu, Neng Gao, Jiwu Jing

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

We propose MJBlocker, a lightweight and run-time malicious JavaScript Extensions (JSEs) blocker for preventing them from hurting user security. MJBlocker can identify and block malicious JSEs whenever they are executed. It is motivated by the observation that most attack goals of malicious JSEs are accomplished via invoking Cross-Platform Component Object Model (XPCOM) calls, and the XPCOM call sequences acquired from malicious JSEs have distinct traits that are different from regular ones. We use simple regular expressions to capture these distinct traits. MJBlocker is interposed into Fire fox between JSEs and XPCOMs, and intercepts all XPCOM calls made by JSEs. Whenever a JSE invokes an XPCOM call, the call is appended to its call sequence, and the sequence is checked against several regular-expression-based signatures to identify the suspicious call sequence patterns. If some suspicious patterns are found, an alarm is triggered and the XPCOM call which triggers the alarm is blocked from executing. However, some innocent JSEs may have suspicious call sequence patterns. To avoid false positives, a verifier utilizes several heuristics to filter off suspicious patterns generated by innocent JSEs. We have implemented MJBlocker atop Fire fox. According to our experiments on 10 different malicious JSEs and 260 legitimate ones, MJBlocker causes negligible overhead (no more than 5%) and has zero false negative and very few false positives.

Original languageEnglish (US)
Title of host publicationProceedings - 7th International Conference on Software Security and Reliability, SERE 2013
Pages119-128
Number of pages10
DOIs
StatePublished - 2013
Event7th International Conference on Software Security and Reliability, SERE 2013 - Gaithersburg, MD, United States
Duration: Jun 18 2013Jun 20 2013

Other

Other7th International Conference on Software Security and Reliability, SERE 2013
CountryUnited States
CityGaithersburg, MD
Period6/18/136/20/13

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'MJBlocker: A Lightweight and run-time malicious javascript extensions blocker'. Together they form a unique fingerprint.

  • Cite this

    Wang, P., Wang, L., Xiang, J., Liu, P., Gao, N., & Jing, J. (2013). MJBlocker: A Lightweight and run-time malicious javascript extensions blocker. In Proceedings - 7th International Conference on Software Security and Reliability, SERE 2013 (pp. 119-128). [6571702] https://doi.org/10.1109/SERE.2013.14