Chapter 4
Browser Resource Stealing Attack
strict security measures, therefore not easy to compromise. Alternatively, attackers can create their own websites and propagate the sites through online advertisement services.
Online advertisement is a mature business model on the Internet. Various Ad providers provide platforms for businesses to display banners or image Ads on websites to promote marketing messages.
As part of this research, we show that current ad networks, such as Google AdWords, allow attackers to perform large-scale computational resource theft by displaying ads that launch Web Worker tasks. Our analysis shows that attackers can use a number of strategies to generate ads that generate large numbers of impressions but cost very little due to their low click-through rate. Despite their low cost, each ad impression allows an attacker to steal computational resources from the browser that the ad is displayed in. For many appli- cations, we show that the economics of an ad-based resource stealing attack are attractive to an adversary.
As the core language of the Web, JavaScript has been used by attackers in Cross Site Scripting (XSS), drive-by download [108], cross-site request forgery [109], and other at- tacks. However, the computing capability of JavaScript and the computing resources that can be stolen from browser clients has been largely undervalued. In this paper, we assess these resource stealing attacks which utilize the computing power of JavaScript to perform distributed computing for various malicious purposes. Complex attacks, such as distributed password cracking, were not feasible before because of their significant impact on fore- ground JavaScript performance, which would alert users or make them leave the page, but are now possible due to three major JavaScript advances in recent years. 1) JavaScript used to be based on a single-threaded architecture and intensive computation would significantly slow down the page and draw users’ attention. With the Web Workers API introduced in HTML5, resource-intensive computation can happen in a background thread. Our experi- ments [7] have shown that Web Worker computation in the background has no discernible impact on the foreground user experience for a multicore CPU. 2) Popular browsers com-
pete fiercely to optimize their JavaScript engines and there has been a significant increase in JavaScript computational speed. Modern browsers are able to complete complex and computationally intensive tasks such as 3D rendering and image processing [110]. Further- more, techniques such as asm.js [69] and NativeClient [111] can further improve JavaScript performance to near-native levels. 3) As a major UI evolution, tabs instead of windows in browsers, lead to parallel browsing behavior of users and web pages that are left open for long periods of time. Users tend to keep more tabs open and each tab open for longer, which gives background Web Worker tasks associated with a particular web page a longer period to operate and steal computational resources.
Open Question ⇒ Are Browser Resource Stealing Attacks a Significant Threat Vector? In past work [7], we have demonstrated the feasibility of legitimate uses of Web Worker background computing to perform computational tasks beneficial to both the browser owner and the website operator, which is termedGray Computing. However, it re- mains a question whether these same Web Workers, if used by attackers, can be a significant threat vector. In particular, we would like to know what attacks could be launched through Web Workers? Are Web Worker-based attacks economical and attractive to attackers even when they have other choices such as renting botnets or cloud computing?
People have shown interest in misusing browsers for web attacks. Lam et. al [44]
propose Puppetnets which is a distributed attack infrastructure misusing web browsers.
However, the attacks assessed were limited to single-threaded web pages performing tasks that were not computationally intensive, such as worm propagation, click fraud, etc. In contrast, Web Worker-based attacks run in the background and can do substantial compu- tational work without impacting foreground JavaScript performance and tipping off users to their presence.
The resource stealing attacks with Web Workers that we assess in this paper can be seen as browser-based botnets where the bot is not an infected computer, but a browser visiting a compromised website. The concept of a browser botnet was first proposed by
Kuppan [45]. They introduced the idea of using Web Workers as a potential attack vector for a DDoS attack. However, they did not consider the cost to launch such attacks and whether the economics and available computing power would be attractive to attackers.
Pellegrino et. al [46] present a preliminary cost analysis on browser-based DDoS attacks.
Their analysis is limited to DDoS attacks while we analyze a broader set of computational tasks, such as distributed password cracking, and provide concrete comparisons with cloud computing providers.
Contributions.
• We demonstrate that current ad networks allow Web Workers to be spawned by ad impressions, which creates a significant threat for mass resource stealing. We pro- vide a deep analysis of the economics of resource stealing through ad impressions and show that it is an attractive target for many types of computationally intensive applications.
• We analyze the economics behind resource stealing attacks and compare the cost models for Web Worker attacks, botnets, and cloud computing. The cost models take into account the bandwidth/request costs to distribute the computing tasks and allow the quantitative comparison of the cost of different approaches to see whether Web Workers are economically attractive.
• We evaluate the performance and user experience impact of Web Worker resource stealing attacks. We take advantage of several state-of-art projects to optimize JavaScript computing speed and port a number of computationally intensive and potentially malicious applications to JavaScript. We also compare the computing performance with/without Web Workers as well as performance differences of resource stealing attacks across web browsers.
• We assess various ways that resource stealing attacks could misuse a browser’s re- sources, including DDoS attacks, distributed password cracking, rainbow table gen-
eration, and cryptocurrency mining. For each attack vector, we compare the pros and cons of launching attacks through a botnet, cloud computing provider, and Web Workers in a browser.
• We evaluate the attacks in the latest context of cloud computing and mobile com- puting. We assume that the attackers are able to use cloud services to build their distributed browser attack infrastructure. We also compare the cost of running the computing tasks in a browser versus on the cloud to see whether it is cost effective for attackers to deploy resource-stealing computations in browsers. In addition to traditional browsers running on desktops or laptops, we also cover mobile device performance in our evaluations. Several unique challenges and threats to mobile devices of Web Worker resource stealing attacks are identified and assessed.