ASSERT-KTH / wasm_evasion

Malware evasion for Wasm

This repo contains the tooling and the reproduction of our experiments on Wasm malware evasion, see our paper WebAssembly Diversification for Malware Evasion.

To cite this work:

@article{CABRERAARTEAGA2023103296,
       title = {WebAssembly Diversification for Malware Evasion},
       journal = {Computers & Security},
       pages = {103296},
       year = {2023},
       issn = {0167-4048},
       doi = {https://doi.org/10.1016/j.cose.2023.103296},
       url = {https://www.sciencedirect.com/science/article/pii/S0167404823002067},
       author = {Javier Cabrera-Arteaga and Martin Monperrus and Tim Toady and Benoit Baudry},
       keywords = {WebAssembly, cryptojacking, software diversification, malware evasion}
}

Setup & requirements

• Clone this repo and its submodules git clone --recursive

• Install Rust in your computer

  • Set nightly as the version rustup default nightly
  • Compile the analyzer tool cd crates/evasor && cargo build

• As an alternative, you can download the ubuntu release binary wget -O analyzer https://github.com/Jacarte/obfuscation_wasm/releases/download/0.1.0/evasor_linux_64amd

Evasor

The evasor bin performs the evasion over an oracle. The oracle can be set with the --oracle option. The oracle argument should be another executable script or binary that receives a Wasm program as the first argument. The oracle binary should return exit code 0 if the binary evades, otherwise the exit code is used by the evasor as the numeric value returned by the fitness function. For example, to perform the evasion of VirusTotal, the exit code of the script is the number of bypassed vendors.

Examples

• Run the baseline evasion over the MINOS oracle: RUST_BACKTRACE=1 RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/minos" mutate --seed 0 -s 10 -e --attempts 1000 -p 1 --input <input.wasm> --oracle python3 ../../oracles/minos/minio.py

• Run the basesline evasion over the VirusTotal oracle. This example assumes that our VirusTotal oracle is running on http://127.0.0.1:4000. Follow the instructions to deploy our VirusTotal wrapper: RUST_BACKTRACE=1 RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/all" mutate --seed 0 --bulk-size 1 -s 10 -e --attempts 1000 -p 1 --input /input.wasm --oracle python3 ../../oracles/vt_custom_chrome/vt_oracle_count.py http://127.0.0.1:4000 vt vt vt123 malware_file_1

• Run the mcmc evasion over VirusTotal (assume the VirusTotal wrapper of the previous example): RUST_LOG=evasor=debug ./target/release/evasor --dbconn "datas/all" mutate --use-reward --seed 0 --beta 0.3 --peek_count 2 -e --attempts 1000 --input /input.wasm --oracle python3 ../../oracles/vt_custom_chrome/vt_oracle_count_reward.py http://127.0.0.1:4000 vt vt vt123 multiple_steps_malware_file

Evasor CLI

To access the help lines of the tool, run ./evasor --help.

Tests

• Run cargo test --features <wasm-mutate features>

Reproducing our experiments

Our experiments run as an Argo workflow, the main reason is that the evasion pipeline can escalate horizontally, i.e., how job per malware. To fully reproduce our experiments a Kubernetes cluster is needed (minikube is an option as well for local testing). Once with the kubernetes cluster set, run the install script. The later script will create the services for argo and the artifact storage in MINIO. Thus, all jobs of evasion will collect data in the same storage layer, and you can collect them later.

Once the deploy script ran, submit each experiment as an argo job argo submit <job.yml>. Check the job scripts if you find incongruences with the docker images used by them.