Computational Resource Abuse in Web Applications
Computational Resource Abuse in Web Applications Juan David Parra Rodriguez Dissertation eingereicht an der Fakult¨atf¨ur Informatik und Mathematik der Universit¨at Passau zur Erlangung des Grades eines Doktors der Naturwissenschaften A dissertation submitted to the faculty of computer science and mathematics in partial fulfillment of the requirements for the degree of doctor of natural sciences Betreuer: Prof. Dr. rer. nat. Joachim Posegga Passau, Germany, April 2019 Abstract Internet browsers include Application Programming Interfaces (APIs) to support Web applications that require complex functionality, e.g., to let end users watch videos, make phone calls, and play video games. Meanwhile, many Web applications employ the browser APIs to rely on the user's hardware to execute intensive computation, access the Graphics Processing Unit (GPU), use persistent storage, and establish network connections. However, providing access to the system's computational resources, i.e., processing, storage, and networking, through the browser creates an opportunity for attackers to abuse resources. Principally, the problem occurs when an attacker compromises a Web site and includes malicious code to abuse its visitor's computational resources. For example, an attacker can abuse the user's system networking capabilities to perform a Denial of Service (DoS) attack against third parties. What is more, computational resource abuse has not received widespread attention from the Web security community because most of the current specifications are focused on content and session properties such as isolation, confidentiality, and integrity. Our primary goal is to study computational resource abuse and to advance the state of the art by providing a general attacker model, multiple case studies, a thorough anal- ysis of available security mechanisms, and a new detection mechanism.
[Show full text]