News Column

Researchers Submit Patent Application, "Unpacking Javascript with an Actionscript Emulator", for Approval

May 22, 2014

By a News Reporter-Staff News Editor at Politics & Government Week -- From Washington, D.C., VerticalNews journalists report that a patent application by the inventor Liu, Bing (North Vancouver, CA), filed on November 1, 2012, was made available online on May 8, 2014.

The patent's assignee is Fortinet, Inc.

News editors obtained the following quote from the background information supplied by the inventors: "Embodiments of the present invention generally relate to the field of Flash files and players thereof. In particular, various embodiments relate to methods of scanning Flash files to detect techniques used for exploiting including heap and/or just-in-time compiler (JIT) spraying and to detect flash exploits by extracting and evaluating embedded Flash and/or embedded JavaScript.

"In today's communication world, data presentation to a user is one of the most important and creative tasks. Especially, online data presentation mechanisms are significantly and drastically changing based on user's needs and expectations. For instance, content can now be presented to a user in text, image, audio, video, and embedded formats, among many other formats or combinations thereof.

"To represent these various types of formats, different programming techniques and file formats are being used. Flash format of Adobe is one such format, wherein Flash provides a multimedia platform that is used for adding animation, video, and interactivity to web pages. Flash is a tool for rich Internet applications and is used for advertisements, games and flash animation for broadcasting. Flash content can be displayed on various electronic devices and computer systems using Adobe Flash Player.

"Flash provides animation of text, drawings, and still images, supports bidirectional streaming of audio and video, and captures user input via mouse, keyboard, microphone, and camera.

"Flash development is based on an object-oriented language called ActionScript. ActionScript is basically a superset of the syntax and semantics of JavaScript language and is primarily used for the development of websites and software targeting the Adobe Flash Player platform. ActionScript 3.0 (hereinafter referred to as ActionScript) is introduced with Flash Player 9 embedded ActionScript Virtual Machine 2 (AVM2).

"During execution of ActionScript code, the code is converted into ActionScript Byte Code (ABC) segments by a compiler and is stored in an ABC file with a DoABC tag or RawABC tag, and compiled into byte code, wherein DoABC and RawABC tags are container tags for ActionScript that are used for performing specific actions. The flash player calls the AVM2 to execute the ABC file.

"Adobe Flash files are stored in ShockWave Flash (SWF) format, with a .swf extension for using multimedia, vector graphics and ActionScript. SWF is a widely used format for displaying 'animated' vector graphics on the Web. It is also used for programs, commonly browser games, using ActionScript. It is also pertinent to note that with growing emphasis on development of computer software that handles user data, various threats including hacking, phishing, malware, and viruses are also now becoming common mechanisms for breach of security and access to crucial information. To handle these threats, various protection measures and systems are implemented to provide safety and security to users of the Internet. However, hackers, commonly called as attackers, tend to find alternatives to attack end user systems, for example.

"Among various methods of hacking, use of exploits is a common method that attacker's use to attack users' computer systems. An exploit is a piece of software, a data chunk, or a sequence of commands, which take advantage of an error, fault, failure or vulnerability in a computer system, operating system, program or the like in order to cause unintended or unanticipated behavior to occur on a particular computer system. An exploit may result in denial of service or allow an attacker to access user data, perform arbitrary code execution or otherwise gain control of the computer system.

"Exploiting techniques can typically be used by an attacker to cause an AVM to execute his/her exploiting techniques can be classified into various types, such as heap spraying and Just-In-Time (JIT) spraying, and may involve the use of embedded Flash, embedded JavaScript and the like. These exploiting techniques are explained below with respect to Adobe Flash player.

"Heap spraying is an exploiting technique commonly used to allow an attacker to execute commands of the attacker's choice on a user's computer or in a user's process. In general, exploit source code attempts to put a certain sequence of bytes at a predetermined location in heap memory of a user process by allocating blocks on the user's process heap and filling bytes in these blocks with appropriate values.

"A heap spray does not actually exploit any particular security issue, but instead makes various security issues easier to exploit. A heap spray can be used to introduce large amount of data, such as an address of a function the attacker desires to execute, into memory in order to increase the chances of successful exploitation. Heap sprays take advantage of the fact that on most architectures and operating systems, the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. Therefore, the sprayed heap is roughly in the same location each and every time the heap spray is run. Heap spraying can be better explained with an example illustrated in the context of Flash files.

"In general, program code, also referred to as a process hereinafter, is initially stored in a specified memory location of a user's computer and is executed whenever the user calls it. The compiler goes to the memory location, fetches the code and executes the code. In case of a Flash file, the compiler fetches ActionScript code, converts it to ABC segments and stores the resulting byte codes in ABC file with a DoABC tag and executes the code, but never interprets the code.

"An attacker may create code that implements a heap spray and inject the code into a user process that allocates heap memory. The heap spray code can be used to spray the heap with specific bytes, typically representing an address of a function or procedure the attacker desires to be executed. Then, once a vulnerability is exploited, the application code can be made to read the address from the sprayed heap, thereby allowing the attacker to control subsequent flow of execution.

"JIT spraying or Just-In-Time spraying is another type of exploit that impacts behavior of just-in-time compilation or dynamic compilation. JIT spraying bypasses two commonly used exploitation protection methods namely, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). JIT spraying is typically used to penetrate security features in PDF documents and Adobe's Flash technology. A JIT compiler produces code, which is stored in memory marked as executable. If the attacker's code is generated by the JIT engine, the exploit code will also reside in executable area. In other words, DEP or ASLR is not involved in protection of code emitted by the JIT compiler. The JIT spraying process basically compiles exploit code and proceeds to spray compiled code into the memory with enough instances of exploit code so as to overwhelm address space randomization and then execute the exploit itself.

"A common JIT spraying technique is to fill user code with many XORs that are done with a constant, which ultimately result in an encoding of a desired instruction or set of instructions. Then, if the attacker can transfer the execution, by pointing the instruction pointer to the sprayed heap, the exploit payload can take control of the system. One mechanism for implementing heap or JIT spraying and/or gaining control of the instruction pointer is by way of embedded flash. Embedded flash may be used within a Flash file to trigger a flash vulnerability. A flash exploit or an attacker specified Flash file is embedded in a user/container file such as in a PDF file, Flash file, office document and the like. The container typically performs heap spraying as the exploiting technique and the flash exploit is used to gain control of the flow of execution.

"Another mechanism for implementing heap or JIT spraying and/or gaining control of the instruction pointer is by way of embedded JavaScript within a container (e.g., an HTML page, a PDF file, Flash file, office document and the like). As above, the container may perform the heap spraying and a flash exploit implemented within the embedded JavaScript may be used to gain control of the flow of execution.

"In view of Flash's ubiquity and the increasing use of ActionScript to implement heap and JIT spraying by attackers accompanied by Flash exploits embedded within Flash binaries, there is a need for methods and systems that can detect heap and/or JIT spraying and/or exploit code in embedded Flash and/or JavaScript."

As a supplement to the background information on this patent application, VerticalNews correspondents also obtained the inventor's summary information for this patent application: "Methods and systems are described for detecting an attempt to evaluate embedded JavaScript. According to one embodiment, an ActionScript emulator running on a computer system receives a Flash file to be tested. The ActionScript emulator implements a modified version of a class typically implemented by a Flash file container. The ActionScript emulator reveals one or more tagged data blocks (tags) contained within the Flash file by decoding the Flash file. The ActionScript emulator determines whether the one or more tags are capable of containing ActionScript bytecode (ABC) by evaluating the one or more tags. When an affirmative determination results with respect to a tag of the one or more tags, then the ActionScript emulator interprets and executes the ABC associated with the tag. Responsive to invocation of a predetermined method of the modified version of the class by the ABC and meeting one or more predetermined conditions, the ActionScript emulator reports existence of embedded JavaScript within the Flash file.

"Other features of embodiments of the present disclosure will be apparent from accompanying drawings and from detailed description that follows.


"In the Figures, similar components and/or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label with a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label.

"FIG. 1 is a high-level block diagram conceptually illustrating a system for detecting conditions indicative of heap spraying, JIT spraying, embedded Flash, embedded JavaScript and/or the existence of a known Flash exploit in Flash files in accordance with an embodiment of the present invention.

"FIG. 2 illustrates exemplary functional units of ActionScript emulator in accordance with an embodiment of the present invention.

"FIG. 3 illustrates typical format of a SWF file.

"FIG. 4 is a flow diagram illustrating processing performed by a scanner in accordance with an embodiment of the present invention.

"FIG. 5 is a flow diagram illustrating processing performed by ActionScript Emulator in accordance with an embodiment of the present invention.

"FIG. 6 is a flow diagram illustrating processing performed by ActionScript Emulator during detection of exploiting techniques or occurrence of embedded Flash/JavaScript in accordance with an embodiment of the present invention.

"FIG. 7 is an exemplary computer system in which or with which embodiments of the present invention may be utilized."

For additional information on this patent application, see: Liu, Bing. Unpacking Javascript with an Actionscript Emulator. Filed November 1, 2012 and posted May 8, 2014. Patent URL:

Keywords for this news article include: Software, JavaScript, Fortinet Inc..

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Politics & Government Week

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters