Computational Resource Abuse in Web Applications

Computational Resource Abuse in Web Applications

Computational Resource Abuse in Web Applications Juan David Parra Rodriguez Dissertation eingereicht an der Fakult¨atf¨ur Informatik und Mathematik der Universit¨at Passau zur Erlangung des Grades eines Doktors der Naturwissenschaften A dissertation submitted to the faculty of computer science and mathematics in partial fulfillment of the requirements for the degree of doctor of natural sciences Betreuer: Prof. Dr. rer. nat. Joachim Posegga Passau, Germany, April 2019 Abstract Internet browsers include Application Programming Interfaces (APIs) to support Web applications that require complex functionality, e.g., to let end users watch videos, make phone calls, and play video games. Meanwhile, many Web applications employ the browser APIs to rely on the user's hardware to execute intensive computation, access the Graphics Processing Unit (GPU), use persistent storage, and establish network connections. However, providing access to the system's computational resources, i.e., processing, storage, and networking, through the browser creates an opportunity for attackers to abuse resources. Principally, the problem occurs when an attacker compromises a Web site and includes malicious code to abuse its visitor's computational resources. For example, an attacker can abuse the user's system networking capabilities to perform a Denial of Service (DoS) attack against third parties. What is more, computational resource abuse has not received widespread attention from the Web security community because most of the current specifications are focused on content and session properties such as isolation, confidentiality, and integrity. Our primary goal is to study computational resource abuse and to advance the state of the art by providing a general attacker model, multiple case studies, a thorough anal- ysis of available security mechanisms, and a new detection mechanism. To this end, we implemented and evaluated three scenarios where attackers use multiple browser APIs to abuse networking, local storage, and computation. Further, depending on the scenario, an attacker can use browsers to perform Denial of Service against third-party Web sites, create a network of browsers to store and distribute arbitrary data, or use browsers to establish anonymous connections similarly to The Onion Router (Tor). Our analysis also includes a real-life resource abuse case found in the wild, i.e., CryptoJacking, where thou- sands of Web sites forced their visitors to perform crypto-currency mining without their consent. In the general case, attacks presented in this thesis share the attacker model and two key characteristics: 1) the browser's end user remains oblivious to the attack, and 2) an attacker has to invest little resources in comparison to the resources he obtains. In addition to the attack's analysis, we present how existing, and upcoming, security enforcement mechanisms from Web security can hinder an attacker and their drawbacks. Moreover, we propose a novel detection approach based on browser API usage patterns. Finally, we evaluate the accuracy of our detection model, after training it with the real-life crypto-mining scenario, through a large scale analysis of the most popular Web sites. iii Acknowledgements First of all, I would like to thank Professor Dr. Joachim Posegga for being my advisor and Professor Dr. J¨orgSchwenk for taking the time to be the second reviewer of my thesis. I would also like to thank Benjamin Taubmann for presenting in my stead at one of the conferences when I couldn't travel. I would like to thank Eric Rothstein because he made me realize that you can find jobs where they pay you while you break things and put them back together. Also, I would like to thank my colleagues from the IT security chair with whom I discussed my research, complained about paper rejections, and celebrated paper acceptances. Especially, I would like to thank Daniel Schreckling, Arne Bilzhause, Henrich P¨ohls,Benjamin Taubmann, Eric Rothstein, Luis Ignacio Lopera, and Bastian Braun. Also, I would like to thank Diego Gomez who took the time to read many of my papers before submission. I would like to specially thank Jorge Cuellar for discussing my research ideas on the way to the train station in Passau and at his office in several occasions, as well as Martin Johns for inviting me to the Dagstuhl seminar on Web Application Security where I had the chance to get in touch with great researchers in the field and exchange ideas. Also, I would like to thank Siglinde B¨ock who helped me to sort out many issues during my trips to conferences with the University's administration. Also, I am grateful for the creation of open source tools which allowed me to perform all the evaluations in this thesis1. I would like to thank my father for encouraging me to think critically and learn how things work at a very young age. Also, I would like to thank my mother for reminding me constantly to follow my dreams. I specially thank my brother, his wife, my nephew, and my niece for letting me explore my own path in life while asking the right questions, at the right time, to help me find my way. Last but definitely not least, I thank my wife for the patience and support while I have been working on this thesis. Without her encouragement, this thesis would have fewer publications associated with it ;-). Thanks to my family and my wife's support I eventually found my place doing research in Germany. 1I thought about thanking the creators of awk, ps, cat, grep, sed, uniq, sort, tail, head, scp, pipe, output redirection, the linux shell, and many other tools but there are just too many... v Contents Contents vii 1. Introduction 1 1.1. Outline . .2 1.2. Contributions . .3 1.3. Associated Publications . .4 1.4. Other Peer Reviewed Publications . .4 I. Resource Abuse Aspects 7 2. The Browser Resource Abuse Attack 9 2.1. Motivation . 10 2.2. Attacker Model . 11 2.3. Generic Attack . 11 2.4. Code Delivery Methods . 12 2.4.1. Advertisement Networks . 12 2.4.2. Modified Dependencies and Browser Plug-Ins . 13 2.4.3. Attacking Services and Networking . 13 2.4.4. Stale Inclusions . 14 2.5. Summary . 14 3. The Current Web Security Model and Its Implications For Computational Re- sources 15 3.1. The Origin-Based Security Model . 15 3.1.1. CORS . 16 3.1.2. WebSockets . 17 3.1.3. PostMessages . 18 vii viii Contents 3.1.4. WebRTC . 19 3.2. Tailoring the Origin-Based Security Model . 21 3.2.1. Public Suffix List . 21 3.2.2. Local Storage . 22 3.2.3. Suborigins . 23 3.3. Cross-Protocol Issues at Network Level . 24 3.3.1. WebSockets . 24 3.3.2. WebRTC . 25 3.4. Why Can Origin-Based Mechanisms Not Prevent Resource Abuse? . 26 3.4.1. CORS . 27 3.4.2. WebSockets . 27 3.4.3. PostMessages . 28 3.4.4. WebRTC . 28 3.5. Summary . 30 II. Resource Abuse Case Studies 31 4. Abusing Browsers for Denial of Service against Third-Parties 33 4.1. Background . 33 4.2. Proof of Concept . 34 4.3. Analysis Concerning Browser APIs . 35 4.3.1. Implementation Differences in Handling WebSockets and WebWorkers 35 4.3.2. WebSocket HTTP Header Misinterpretation . 36 4.4. Evaluation . 37 4.4.1. Set-up . 37 4.4.2. Methodology . 38 4.4.3. Results . 39 4.5. Related Work . 47 4.6. Summary . 48 5. Abusing Browsers for Arbitrary Data Storage and Distribution 51 5.1. Background . 52 Contents ix 5.2. Proof of Concept . 53 5.2.1. Client-Side Building Blocks . 53 5.2.2. Server-Side Services . 55 5.2.3. Content Replication Technique . 56 5.3. Analysis Concerning Browser APIs . 57 5.4. Evaluation . 57 5.4.1. Set-Up . 58 5.4.2. Methodology . 59 5.4.3. Peer Behaviour . 60 5.4.4. Results . 60 5.5. Related Work . 64 5.6. Summary . 65 6. Abusing Browsers for Anonymous Communication 67 6.1. Background . 68 6.2. Proof of Concept . 68 6.3. Analysis Concerning Browser APIs . 70 6.4. Methodology . 70 6.5. Evaluation of Scalability . 71 6.5.1. Set-up . 71 6.5.2. Peer Behaviour . 72 6.5.3. Results . 73 6.6. Evaluation of Stealthiness . 77 6.6.1. Set-up . 77 6.6.2. Peer Behaviour . 78 6.6.3. Results . 79 6.7. Related Work . 80 6.8. Summary . 81 7. Abusing Browsers for Crypto-Mining 83 7.1. Background . 84 7.2. Analysis Concerning Browser APIs . 86 x Contents 7.3. Summary . 86 III. Countermeasures 87 8. Enforcement Mechanisms 89 8.1. User-Controlled Mechanisms . 89 8.1.1. Blacklists . 89 8.1.2. Disabling Networking APIs . 90 8.1.3. Third-Party Tracking Protection . 90 8.2. Developer-Controlled Mechanisms . 91 8.2.1. Sand-boxed Environments ..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    170 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us