Abstract
With the advent of the Cloud Computing (CC) paradigm and the explosion of new Web Services proposed over the Internet (such as Google Office Apps, Dropbox or Doodle just to cite a few of them), the protection of the programs at the heart of these services becomes more and more crucial, especially for the companies making business on top of these services. In parallel, the overwhelming majority of modern websites use the JavaScript programming language as all modern web browsers - either on desktops, game consoles, tablets or smart phones - include JavaScript interpreters making it the most ubiquitous programming language in history. Thus, JavaScript is the core technology of most web services. In this context, this article focuses on novel obfuscation techniques to protect JavaScript program contents.
Informally, the goal of obfuscation is to make a program ”unintelligible” without altering its functionality, thus preventing reverse-engineering on the program. However, this approach hardly caught attention from the research community after stand-alone obfuscation for arbitrary programs has been proven impossible in 2001. Here we would like to renew this interest with the proposal of JShadObf, an obfuscation framework based on evolutionary heuristics designed to optimize for a given input JavaScript program, the sequence of transformations that should be applied to the source code to improve its obfuscation capacity. Measuring this capacity is based on the combination of several metrics optimized simultaneously withMulti-Objective Evolutionary Algorithms (MOEAs). Whereas our approach cannot pretend to offer an absolute protection, the objective remains to protect the target program for a sufficiently long period of time. The experiment results initially conducted on a pedagogical example then on JQuery - the most popular and widely used JavaScript library - outperform existing solutions. It demonstrates the validity of the approach and its concrete usage in reference codes used worldwide.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Closure compiler, https://developers.google.com/closure/compiler/
Jasob, http://www.jasob.com/
Javascriptobfuscator, http://www.javascriptobfuscator.com/
Obfuscatejs, http://tools.2vi.nl/
Packer, http://dean.edwards.name/packer/
Spidermonkey, https://developer.mozilla.org/en-US/docs/SpiderMonkey
Ugligyjs, https://github.com/mishoo/UglifyJS
Yui compressor, http://developer.yahoo.com/yui/compressor/
Jquery (2012), http://www.jquery.org/
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)
Byung-Ik Kim, H.-C.J., Im, C.-T.: Suspicious malicious web site detection with strength analysis of a javascript obfuscation. International Journal of Advanced Science and Technology
Chidamber, S.R., Kemerer, C.F.: A metrics suite for object oriented design (1994)
Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley Professional (2009)
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Rapport technique l’Université d’Auckland, -1 (1997)
Darwin, C.: The Origin of Species. John Murray (1859)
Deb, K., Agrawal, S., Pratap, A., Meyarivan, T.: A fast elitist non-dominated sorting genetic algorithm for multi-objective optimization: NSGA-II. In: Deb, K., Rudolph, G., Lutton, E., Merelo, J.J., Schoenauer, M., Schwefel, H.-P., Yao, X. (eds.) PPSN 2000. LNCS, vol. 1917, pp. 849–858. Springer, Heidelberg (2000)
Feinstein, B., Peck, D.: Caffeine monkey: Automated collection, detection and analysis of malicious javascript. In: DEFCON 15 (2007)
Flanagan, D.: JavaScript: The Definitive Guide Activate Your Web Pages, 6th edn. O’Reilly Media, Inc. (2011)
Halstead, M.H.: Elements of software science (1977)
Harrison, W.A., Magel, K.I.: A complexity measure based on nesting level. SIGPLAN Notices 16(3), 63–74 (1981)
Henry, S., Kafura, D.: Software structure metrics based on information flow. IEEE Transactions on Software Engineering SE-7(5) (1981)
E. C. M. A. International. ECMA-262: ECMAScript Language Specification. ECMA (European Association for Standardizing Information and Communication Systems), 3rd edn., Geneva, Switzerland (December 1999)
McCabe, T.J.: A complexity measure. IEEE Transactions on Software Engineering SE-2(4) (1976)
Oviedo, E.I.: Control flow, data flow, and program complexity. In: Proceedings of IEEE COMPSAC, pp. 146–152 (1980)
Parr, T.J., Parr, T.J., Quong, R.W.: Antlr: A predicated-ll(k) parser generator (1995)
Reeves, C.R., Rowe, J.E.: Genetic algorithms: principles and perspectives. A guide to GA theory. Kluwer Academic Publishers (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bertholon, B., Varrette, S., Bouvry, P. (2013). JShadObf: A JavaScript Obfuscator Based on Multi-Objective Optimization Algorithms. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)