FV8 (pronounced "favourite") is a specialized version of the V8 engine, enhanced with unique capabilities. FV8 integrates patches from VisibleV8 along with its own custom patches to deliver a powerful tool for code analysis and execution.
- Forced Execution: FV8 can force-execute code under specific conditions. This capability is crucial for increasing code coverage, allowing deeper analysis, and uncovering hidden or malicious code that would otherwise remain undetected.
- Enhanced Code Coverage: By forcing the execution of more code paths, FV8 enhances the visibility into the code's behavior, making it an invaluable tool for security researchers and developers.
You can use FV8 directly by installing the .deb file of the browser and running it as a normal Chromium browser. The .deb file can be found in FV8/deb_files.
Example usage:
chromium-browser-stable --headless --no-sandbox --disable-gpu --disable-features=NetworkService --js-flags='--no-lazy' https://google.com
--js-flagsis used to pass options directly to V8 instead of passing options to Chromium.--headlesscan be removed if you are not executing the browser in a non-visual environment.
You can build V8 yourself starting from Chromium/V8 and apply our FV8 patches.
The /patches directory contains the patches of FV8 that can be applied to the base V8 version. Link to the base V8 version V8-base.
Example command:
patch -p1 <patches/$LAST_FV8_PATCH_FILE
To visit topX Tranco URLs:
Install the required packages:
pip install -r ./scripts/requirements.txt
export DOCKER_BUILDKIT=0
python ./scripts/vv8-cli.py setup
Visit the URLs by running the Python script:
python crawler_queue_tranco.py
This script visits websites using the FV8 browser.
You can read more about the details of our work in the following research papers:
- FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques [PDF]
If you use FV8 in your research, consider citing our work using this Bibtex entry (link to be updated upon Usenix proceedings):
@misc{pantelaios2024fv8,
title={FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques},
author={Nikolaos Pantelaios and Alexandros Kapravelos},
year={2024},
eprint={2405.13175},
archivePrefix={arXiv},
primaryClass={id='cs.CR' full_name='Cryptography and Security' is_active=True alt_name=None in_archive='cs' is_general=False description='Covers all areas of cryptography and security including authentication, public key cryptosytems, proof-carrying code, etc. Roughly includes material in ACM Subject Classes D.4.6 and E.3.'}
}- VisibleV8: In-browser Monitoring of JavaScript in the Wild [PDF]
Jordan Jueckstock, Alexandros Kapravelos
Proceedings of the ACM Internet Measurement Conference (IMC), 2019
If you use VisibleV8 in your research, consider citing our work using this Bibtex entry:
@conference{vv8-imc19,
title = {{VisibleV8: In-browser Monitoring of JavaScript in the Wild}},
author = {Jueckstock, Jordan and Kapravelos, Alexandros},
booktitle = {{Proceedings of the ACM Internet Measurement Conference (IMC)}},
year = {2019}
}This project is offered under the MIT License (See License Tab)