/wasm_evasion

Malware evasion for WebAssembly with wasm-mutate

Primary LanguageWebAssembly

Obfuscation analysis for Wasm

Build and deploy Build docker evasor Build docker oracle

This repo contains the tooling and the reproduction of our experiments on Wasm obfuscation.

To cite this work:

@ARTICLE{2022arXiv221208427C,
       author = {{Cabrera-Arteaga}, Javier and {Monperrus}, Martin and {Toady}, Tim and {Baudry}, Benoit},
        title = "{WebAssembly Diversification for Malware Evasion}",
      journal = {arXiv e-prints},
     keywords = {Computer Science - Software Engineering},
         year = 2022,
        month = dec,
          eid = {arXiv:2212.08427},
        pages = {arXiv:2212.08427},
          doi = {10.48550/arXiv.2212.08427},
archivePrefix = {arXiv},
       eprint = {2212.08427},
 primaryClass = {cs.SE},
       adsurl = {https://ui.adsabs.harvard.edu/abs/2022arXiv221208427C},
      adsnote = {Provided by the SAO/NASA Astrophysics Data System}
}

Setup & requirements

  • Clone this repo and its submodules git clone --recursive

  • Install Rust in your computer

    • Set nightly as the version rustup default nightly
    • Compile the analyzer tool cd crates/evasor && cargo build
  • As an alternative, you can download the ubuntu release binary wget -O analyzer https://github.com/Jacarte/obfuscation_wasm/releases/download/0.1.0/evasor_linux_64amd

Evasor

The evasor bin perform the evasion of a passed oracle. The oracle can be set with the --oracle option. The oracle argument should be another executable script or binary that receives a Wasm program as the first argument. The oracle binary should return exit code 0 if the binary evades, otherwise the exit code is used by the evasor as the numeric value returned by the fitness function. For example, to perform the evasion of VirusTotal, the exit code of the script is the number of bypassed vendors.

Examples

  • Run the baseline evasion over the MINOS oracle: RUST_BACKTRACE=1 RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/minos" mutate --seed 0 -s 10 -e --attempts 1000 -p 1 --input <input.wasm> --oracle python3 ../../oracles/minos/minio.py

  • Run the basesline evasion over the VirusTotal oracle. This example assumes that our VirusTotal oracle is running on http://127.0.0.1:4000. Follow the instructions to deploy our VirusTotal wrapper: RUST_BACKTRACE=1 RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/all" mutate --seed 0 --bulk-size 1 -s 10 -e --attempts 1000 -p 1 --input /input.wasm --oracle python3 ../../oracles/vt_custom_chrome/vt_oracle_count.py http://127.0.0.1:4000 vt vt vt123 malware_file_1

  • Run the mcmc evasion over VirusTotal (assume the VirusTotal wrapper of the previous example): RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/all" mutate --use-reward --seed 0 --beta 0.3 --peek_count 2 -e --attempts 1000 --input /input.wasm --oracle python3 ../../oracles/vt_custom_chrome/vt_oracle_count_reward.py http://127.0.0.1:4000 vt vt vt123 multiple_steps_malware_file

Evasor CLI

To access the help lines of the tool, run ./evasor --help.

Tests

  • Run cargo test --features <wasm-mutate features>

Reproducing our experiments

Our experiments run as an Argo workflow, the main reason is that the evasion pipeline can escalate horizontally, i.e., how job per malware. To fully reproduce our experiments a Kubernetes cluster is needed (minikube is an option as well for local testing). Once with the kubernetes cluster set, run the install script. The later script will create the services for argo and the artifact storage in MINIO. Thus, all jobs of evasion will collect data in the same storage layer, and you can collect them later.

Once the deploy script ran, submit each experiment as an argo job argo submit <job.yml>. Check the job scripts if you find incongruences with the docker images used by them.