Detecting Malicious JavaScript Code in Mozilla

Abstract

The JavaScript language is used to enhance the client-side display of web pages. JavaScript code is downloaded into browsers and executed on-the-fly by an embedded interpreter. Browsers provide sand-boxing mechanisms to prevent JavaScript code from compromising the security of the client's environment, but, unfortunately, a number of attacks exist that can be used to steal users' credentials (e.g., cross-site scripting attacks) and lure users into providing sensitive information to unauthorized parties (e.g., phishing attacks). We propose an approach to solve this problem that is based on monitoring JavaScript code execution and comparing the execution to high-level policies, to detect malicious code behavior. To achieve this goal it is necessary to provide a mechanism to audit the execution of JavaScript code. This is a difficult task, because of the close integration of JavaScript with complex browser applications, such as Mozilla. This paper presents the first existing implementation of an auditing system for JavaScript interpreters and discusses the pitfalls and lessons learned in developing the auditing mechanism.