Fakeium: A dynamic execution environment for JavaScript program analysis
The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious bro...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Elsevier
2025-09-01
|
| Series: | SoftwareX |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S2352711025002675 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849228382031577088 |
|---|---|
| author | José Miguel Moreno Narseo Vallina-Rodriguez Juan Tapiador |
| author_facet | José Miguel Moreno Narseo Vallina-Rodriguez Juan Tapiador |
| author_sort | José Miguel Moreno |
| collection | DOAJ |
| description | The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official Node.js package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed under the twofold purpose of serving as a fast, fully automated tool for analyzing JavaScript at scale and as a flexible sandbox for manual investigation of complex sources. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium’s flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior. |
| format | Article |
| id | doaj-art-90cd0752aa6741df878c401f426737f2 |
| institution | Kabale University |
| issn | 2352-7110 |
| language | English |
| publishDate | 2025-09-01 |
| publisher | Elsevier |
| record_format | Article |
| series | SoftwareX |
| spelling | doaj-art-90cd0752aa6741df878c401f426737f22025-08-23T04:48:40ZengElsevierSoftwareX2352-71102025-09-013110230110.1016/j.softx.2025.102301Fakeium: A dynamic execution environment for JavaScript program analysisJosé Miguel Moreno0Narseo Vallina-Rodriguez1Juan Tapiador2Universidad Carlos III de Madrid, Avda. de la Universidad 30, Leganés, Spain; Corresponding author.IMDEA Networks Institute, Avda. del Mar Mediterráneo 22, Leganés, SpainUniversidad Carlos III de Madrid, Avda. de la Universidad 30, Leganés, SpainThe JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official Node.js package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed under the twofold purpose of serving as a fast, fully automated tool for analyzing JavaScript at scale and as a flexible sandbox for manual investigation of complex sources. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium’s flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.http://www.sciencedirect.com/science/article/pii/S2352711025002675Web securityDynamic analysisSandboxObfuscationChromiumJavaScript |
| spellingShingle | José Miguel Moreno Narseo Vallina-Rodriguez Juan Tapiador Fakeium: A dynamic execution environment for JavaScript program analysis SoftwareX Web security Dynamic analysis Sandbox Obfuscation Chromium JavaScript |
| title | Fakeium: A dynamic execution environment for JavaScript program analysis |
| title_full | Fakeium: A dynamic execution environment for JavaScript program analysis |
| title_fullStr | Fakeium: A dynamic execution environment for JavaScript program analysis |
| title_full_unstemmed | Fakeium: A dynamic execution environment for JavaScript program analysis |
| title_short | Fakeium: A dynamic execution environment for JavaScript program analysis |
| title_sort | fakeium a dynamic execution environment for javascript program analysis |
| topic | Web security Dynamic analysis Sandbox Obfuscation Chromium JavaScript |
| url | http://www.sciencedirect.com/science/article/pii/S2352711025002675 |
| work_keys_str_mv | AT josemiguelmoreno fakeiumadynamicexecutionenvironmentforjavascriptprogramanalysis AT narseovallinarodriguez fakeiumadynamicexecutionenvironmentforjavascriptprogramanalysis AT juantapiador fakeiumadynamicexecutionenvironmentforjavascriptprogramanalysis |