Abstract
Code obfuscation built upon code virtualization technology is one of the viable means for protecting sensitive algorithms and data against code reverse engineering attacks. Code virtualization has been successfully applied to programming languages like C, C++, and Java. However, it remains an outstanding challenge to apply this promising technique to JavaScript, a popular web programming language. This is primarily due to the open visibility of JavaScript code and the expensive runtime overhead associated with code virtualization. This paper presents JSPro , a novel code virtualization system for JavaScript. JSPro is the first JavaScript code obfuscation tool that builds upon the emerging WebAssembly language standard. It is designed to provide more secure code protection but without incurring a significant runtime penalty, explicitly targeting numerical JavaScript kernels. We achieve this by first automatically translating the target JavaScript code into WebAssembly and then performing code obfuscation on the compiled WebAssembly binary. Our design has two advantages over existing solutions: (1) it increases the code reverse entering complexity by implementing code obfuscation at a lower binary level and (2) it significantly reduces the performance impact of code virtualization over the native JavaScript code by using the performance-tuned WebAssembly language. We evaluate JSPro on a set of numerical JavaScript algorithms widely used in many applications. To test the performance, we apply JSPro to four mainstream web browsers running on three distinct mobile devices. Compared to state-of-the-art JavaScript obfuscation tools, JSPro not only provides stronger protection but also reduces the runtime overhead by at least 15% (up to 38.2%) and the code size by 28.2% on average.
Highlights
Unauthorized reverse engineering and modification of code is a major concern for software vendors [1]–[3]
This paper presents JSPro, a novel code virtualization system for JavaScript code
When implementing JSPro, we proposed a set of new methods, analysis and algorithms to overcome the aforementioned challenges for using WebAssembly to protect JavaScript code
Summary
Unauthorized reverse engineering and modification of code is a major concern for software vendors [1]–[3]. Such activities are often associated with malicious behaviors such as cheating, unauthorized use of software, or bypassing security and authentication mechanisms. Code virtualization [6], [7] is emerging as a promising method for implementing code obfuscation. The idea behinds code virtualization is that by forcing the attacker to work on a new, unfamiliar instruction set, one can significantly increase the difficulties of launching code reverse engineering attacks [4]. The main idea of code obfuscation is to convert the source code into a functionally equivalent form, but it is difficult to be understood.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
