The emergence of WebAssembly allows attackers to hide the malicious functionalities of JavaScript malware in cross-language interoperations, termed JavaScript-WebAssembly multilingual malware (JWMM). However, existing anti-virus solutions based on static program analysis are still limited to monolingual code. As a result, their detection effectiveness decreases significantly against JWMM. The detection of JWMM is challenging due to the complex interoperations and semantic diversity between JavaScript and WebAssembly. To bridge this gap, we present JWBinder, the first technique aimed at enhancing the static detection of JWMM. JWBinder performs a language-specific data-flow analysis to capture the cross-language interoperations and then characterizes the functionalities of JWMM through a unified high-level structure called Inter-language Program Dependency Graph. The extensive evaluation on one of the most representative real-world anti-virus platforms, VirusTotal, shows that \system effectively enhances anti-virus systems from various vendors and increases the overall successful detection rate against JWMM from 49.1\% to 86.2\%. Additionally, we assess the side effects and runtime overhead of JWBinder, corroborating its practical viability in real-world applications.

翻译：WebAssembly的出现使攻击者能够在跨语言互操作中隐藏JavaScript恶意软件的恶意功能，这类威胁被称为JavaScript-WebAssembly多语言恶意软件（JWMM）。然而，现有基于静态程序分析的反病毒解决方案仍局限于单语言代码检测，导致其对JWMM的检测效果显著下降。由于JavaScript与WebAssembly之间复杂的互操作机制及语义差异，JWMM检测面临严峻挑战。为填补这一空白，我们提出了JWBinder技术——首个旨在增强JWMM静态检测的方法。JWBinder通过执行特定语言的数据流分析来捕获跨语言互操作行为，进而利用统一的跨语言程序依赖图高阶结构表征JWMM的功能特性。在最具代表性的现实反病毒平台VirusTotal上进行的广泛评估表明，该系统能有效增强来自不同供应商的反病毒系统，将针对JWMM的整体成功检测率从49.1%提升至86.2%。此外，我们评估了JWBinder的副作用与运行时开销，证实了其在实际应用中的技术可行性。