Leveraging WebAssembly for Numerical JavaScript Code Virtualization

Shuai Wang; Guixin Ye; Meng Li; Lu Yuan; Zhanyong Tang; Huanting Wang; Wei Wang; Fuwei Wang; Jie Ren; Dingyi Fang; Zheng Wang

doi:10.1109/ACCESS.2019.2953511

IEEE Access (Jan 2019)

Leveraging WebAssembly for Numerical JavaScript Code Virtualization

Shuai Wang,
Guixin Ye,
Meng Li,
Lu Yuan,
Zhanyong Tang,
Huanting Wang,
Wei Wang,
Fuwei Wang,
Jie Ren,
Dingyi Fang,
Zheng Wang

Affiliations

Shuai Wang: ORCiD; School of Computer Science and Technology, Northwest University, Xi’an, China
Guixin Ye: ORCiD; School of Computer Science and Technology, Northwest University, Xi’an, China
Meng Li: ORCiD; School of Computer Science and Technology, Northwest University, Xi’an, China
Lu Yuan: ORCiD; School of Computer Science and Technology, Northwest University, Xi’an, China
Zhanyong Tang: ORCiD; School of Computer Science and Technology, Northwest University, Xi’an, China
Huanting Wang: School of Computer Science and Technology, Northwest University, Xi’an, China
Wei Wang: School of Computer Science and Technology, Northwest University, Xi’an, China
Fuwei Wang: School of Computer Science and Technology, Northwest University, Xi’an, China
Jie Ren: School of Computer Science, Shaanxi Normal University, Xi’an, China
Dingyi Fang: School of Computer Science and Technology, Northwest University, Xi’an, China
Zheng Wang: School of Computing, Lancaster University, Lancaster, U.K.

DOI: https://doi.org/10.1109/ACCESS.2019.2953511
Journal volume & issue: Vol. 7
pp. 182711 – 182724

Abstract

Read online

Code obfuscation built upon code virtualization technology is one of the viable means for protecting sensitive algorithms and data against code reverse engineering attacks. Code virtualization has been successfully applied to programming languages like C, C++, and Java. However, it remains an outstanding challenge to apply this promising technique to JavaScript, a popular web programming language. This is primarily due to the open visibility of JavaScript code and the expensive runtime overhead associated with code virtualization. This paper presents JSPro, a novel code virtualization system for JavaScript. JSPro is the first JavaScript code obfuscation tool that builds upon the emerging WebAssembly language standard. It is designed to provide more secure code protection but without incurring a significant runtime penalty, explicitly targeting numerical JavaScript kernels. We achieve this by first automatically translating the target JavaScript code into WebAssembly and then performing code obfuscation on the compiled WebAssembly binary. Our design has two advantages over existing solutions: (1) it increases the code reverse entering complexity by implementing code obfuscation at a lower binary level and (2) it significantly reduces the performance impact of code virtualization over the native JavaScript code by using the performance-tuned WebAssembly language. We evaluate JSPro on a set of numerical JavaScript algorithms widely used in many applications. To test the performance, we apply JSPro to four mainstream web browsers running on three distinct mobile devices. Compared to state-of-the-art JavaScript obfuscation tools, JSPro not only provides stronger protection but also reduces the runtime overhead by at least 15% (up to 38.2%) and the code size by 28.2% on average.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords