This repo contains the tooling and the reproduction of our experiments on Wasm obfuscation.
To cite this work:
@ARTICLE{2022arXiv221208427C,
author = {{Cabrera-Arteaga}, Javier and {Monperrus}, Martin and {Toady}, Tim and {Baudry}, Benoit},
title = "{WebAssembly Diversification for Malware Evasion}",
journal = {arXiv e-prints},
keywords = {Computer Science - Software Engineering},
year = 2022,
month = dec,
eid = {arXiv:2212.08427},
pages = {arXiv:2212.08427},
doi = {10.48550/arXiv.2212.08427},
archivePrefix = {arXiv},
eprint = {2212.08427},
primaryClass = {cs.SE},
adsurl = {https://ui.adsabs.harvard.edu/abs/2022arXiv221208427C},
adsnote = {Provided by the SAO/NASA Astrophysics Data System}
}
-
Clone this repo and its submodules
git clone --recursive -
Install Rust in your computer
- Set nightly as the version
rustup default nightly - Compile the analyzer tool
cd crates/evasor && cargo build
- Set nightly as the version
-
As an alternative, you can download the ubuntu release binary
wget -O analyzer https://github.com/Jacarte/obfuscation_wasm/releases/download/0.1.0/evasor_linux_64amd
The evasor bin perform the evasion of a passed oracle. The oracle can be set with the --oracle option. The oracle argument should be another executable script or binary that receives a Wasm program as the first argument. The oracle binary should return exit code 0 if the binary evades, otherwise the exit code is used by the evasor as the numeric value returned by the fitness function. For example, to perform the evasion of VirusTotal, the exit code of the script is the number of bypassed vendors.
-
Run the baseline evasion over the MINOS oracle:
RUST_BACKTRACE=1 RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/minos" mutate --seed 0 -s 10 -e --attempts 1000 -p 1 --input <input.wasm> --oracle python3 ../../oracles/minos/minio.py -
Run the basesline evasion over the VirusTotal oracle. This example assumes that our VirusTotal oracle is running on
http://127.0.0.1:4000. Follow the instructions to deploy our VirusTotal wrapper:RUST_BACKTRACE=1 RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/all" mutate --seed 0 --bulk-size 1 -s 10 -e --attempts 1000 -p 1 --input /input.wasm --oracle python3 ../../oracles/vt_custom_chrome/vt_oracle_count.py http://127.0.0.1:4000 vt vt vt123 malware_file_1 -
Run the mcmc evasion over VirusTotal (assume the VirusTotal wrapper of the previous example):
RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/all" mutate --use-reward --seed 0 --beta 0.3 --peek_count 2 -e --attempts 1000 --input /input.wasm --oracle python3 ../../oracles/vt_custom_chrome/vt_oracle_count_reward.py http://127.0.0.1:4000 vt vt vt123 multiple_steps_malware_file
To access the help lines of the tool, run ./evasor --help.
- Run
cargo test --features <wasm-mutate features>
Our experiments run as an Argo workflow, the main reason is that the evasion pipeline can escalate horizontally, i.e., how job per malware. To fully reproduce our experiments a Kubernetes cluster is needed (minikube is an option as well for local testing). Once with the kubernetes cluster set, run the install script. The later script will create the services for argo and the artifact storage in MINIO. Thus, all jobs of evasion will collect data in the same storage layer, and you can collect them later.
Once the deploy script ran, submit each experiment as an argo job argo submit <job.yml>. Check the job scripts if you find incongruences with the docker images used by them.