Top

Published in:

2018 | OriginalPaper | Chapter

When Your Browser Becomes the Paper Boy

An Anonymous Browser Network

Authors : Juan D. Parra Rodriguez, Eduard Brehm, Joachim Posegga

Published in: ICT Systems Security and Privacy Protection

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We present a scenario where browsers’ network and computation capabilities are used by an attacker without the user’s knowledge. For this kind of abuse, an attacker needs to trigger JavaScript code on the browser, e.g. through an advertisement. However, unlike other Web attacks, e.g. cross-site scripting, the attack can be executed isolated from the Origin of the site visited by the user.

We demonstrate this by forcing common browsers to join an overlay network and perform onion routing for other peers in the network. An attacker can create and tear down such browser networks whenever needed and use them to avoid detection, complicate forensic analysis, and protect his identity. Based on a performance evaluation with real browsers, we ascertain that the network delivers messages in a timely manner under load while remaining unnoticed. From a more constructive point of view, we discuss how the current CSP specification and other mechanisms under discussion can help to protect users against this attack.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Practical Cryptographic Data Integrity Protection with Full Disk Encryption

next chapter EMPower: Detecting Malicious Power Line Networks from EM Emissions

As Tor, we use Elliptic Curve Diffie-Hellman (ECDH) key agreement with a single shared key to encrypt the communication between every pair of peers. In Fig. 1, P1(P2(B(Message)))) represents the message encrypted with the keys from Bob, P2, and P1, in this particular order.

A Firefox instance needs 400 MB of memory. Each tab needs 30 MB.

The time required for the action is only based on the Data Collection server’s clock.

A developer broke most packages in npm by removing a left padding module: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/.

Global IP network averages. http://ipnetwork.bgtmo.ip.att.net/pws/global_network_avgs.html. Accessed 06 Apr 2018

iAnonym. http://www.ianonym.com/. Accessed 08 Jan 2018

Tips for running an exit node. https://blog.torproject.org/tips-running-exit-node. Accessed 15 Jan 2018

WebRTC Control. https://mybrowseraddon.com/webrtc-control.html. Accessed 06 Apr 2018

BitcoinPlus (2011). https://web.archive.org/web/20170103133312/http://www.bitcoinplus.com/miner/embeddable. Accessed 06 Apr 2018

WebRTC via ‘connect-SRC’? September 2013. https://github.com/aghorler/WebRTC-Leak-Prevent. Accessed 06 Apr 2018

CSP for WebRTC, August 2014. https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0162.html. Accessed 06 Apr 2018

WebRTC RTCDataChannel can be used for exfiltration, June 2016. https://github.com/w3c/webappsec-csp/issues/92. Accessed 06 Apr 2018

Aboukhadijeh, F.: MD5-Password-Cracker.js (2013). https://github.com/feross/md5-password-cracker.js/. Accessed 06 Apr 2018

10.

Aboukhadijeh, F.: The joys of HTML5: introducing the new HTML5 HardDiskFiller API (2013). https://github.com/PeerCDN. Accessed 06 Apr 2018

11.

Antonatos, S., Akritidis, P., Lam, V.T., Anagnostakis, K.G.: Puppetnets: misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12(2), 12 (2008)CrossRef

12.

Athanasopoulos, E., et al.: Antisocial networks: turning a social network into a botnet. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 146–160. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85886-7_10CrossRef

13.

Web Code Weakness allows Data Dump on PCs (2008). http://www.bbc.com/news/technology-21628622. Accessed 06 Apr 2018

14.

Bu, M., Zhang, E.: The PeerJS library (2012). https://github.com/peers/peerjs. Accessed 06 Apr 2018

15.

Burgstaller, F., Derler, A., Kern, S., Schanner, G., Reiter, A.: Anonymous communication in the browser via onion-routing. In: 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, pp. 260–267, November 2015. https://doi.org/10.1109/3PGCIC.2015.22

16.

ClickTales 2013 Web Analytics Benchmarks Report (2013). https://research.clicktale.com/web_analytics_benchmarks.html. Accessed 06 Apr 2018

17.

Coinhive JS Crypto Miner (2017). https://coinhive.com/. Accessed 06 Apr 2018

18.

Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 281–290. ACM, Raileigh (2010). https://doi.org/10.1145/1772690.1772720

19.

Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th Conference on USENIX Security Symposium-Volume 13, SSYM 2004, pp. 21–21. USENIX Association, Berkeley (2004). http://dl.acm.org/citation.cfm?id=1251375.1251396

20.

Russian Tor Exit Node Operator Arrested (2017). https://www.deepdotweb.com/2017/05/01/russian-tor-exit-node-operator-arrested/. Accessed 06 Apr 2018

21.

Fifield, D., Epner, M.G.: Fingerprint ability of WebRTC. Technical report, Cornell University Library (2016). http://arxiv.org/abs/1605.08805. Accessed 06 Apr 2018

22.

Fifield, D., et al.: Evading censorship with browser-based proxies. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 239–258. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_13CrossRef

23.

Grossman, J., Johansen, M.: Million Browser Botnet (2013). https://www.blackhat.com/us-13/briefings.html. Accessed 06 Apr 2018

24.

Johns, M., Winter, J.: Protecting the intranet against “JavaScript Malware” and related attacks. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 40–59. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_3. https://web.sec.uni-passau.de/members/martin/docs/2007_DIMVA_Johns_Winter_Anti_JS_Malware_lncs.pdf

25.

Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 1193–1204. ACM, New York (2013). https://doi.org/10.1145/2508859.2516703

26.

Matthews, N.: Ravan: JavaScript Distributed Computing System (BETA) (2012). http://www.andlabs.org/tools/ravan.html. Accessed 06 Apr 2018

27.

Maunder, M.: WordPress plugin banned for crypto mining. https://www.wordfence.com/blog/2017/11/wordpress-plugin-banned-crypto-mining/. Accessed 15 Jan 2018

28.

Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York (2012). https://doi.org/10.1145/2382196.2382274

29.

Parra Rodriguez, J.D., Posegga, J.: CSP & Co. Can save us from a rogue cross-origin storage browser network! But for how long? In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY 2018, pp. 170–172. ACM, New York (2018). https://doi.org/10.1145/3176258.3176951

30.

Parra Rodriguez, J.D., Posegga, J.: Local storage on steroids: abusing web browsers for hidden content storage and distribution. In: Proceedings of the 14th International Conference on Security and Privacy in Communication Networks: SecureComm. Springer International Publishing (2018, to appear soon)

31.

Rodriguez, J.D.P., Posegga, J.: Why web servers should fear their clients. In: Thuraisingham, B., Wang, X.F., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 401–417. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_22CrossRef

32.

Report, B.: Cryptojacking: 2017 Year-End Review. https://badpackets.net/cryptojacking-2017-year-end-review/. Accessed 15 Jan 2018

33.

Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010, pp. 31–39. ACM, Austin (2010)

34.

Snowflake (2016). https://trac.torproject.org/projects/tor/wiki/doc/Snowflake. Accessed 06 Apr 2018

35.

Telegraph, T.: YouTube shuts down hidden cryptojacking adverts. http://www.telegraph.co.uk/technology/2018/01/29/youtube-shuts-hidden-crypto-jacking-adverts/. Accessed 15 Jan 2018

36.

W3C: Same origin policy. https://www.w3.org/Security/wiki/Same_Origin_Policy. Accessed 20 Mar 2018

37.

Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP Is Dead, Long LiveCSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1376–1387. ACM, New York (2016). https://doi.org/10.1145/2976749.2978363

38.

Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? Trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_11CrossRef

Title: When Your Browser Becomes the Paper Boy
Authors: Juan D. Parra Rodriguez
Eduard Brehm
Joachim Posegga
Publisher: Springer International Publishing
Book: ICT Systems Security and Privacy Protection
Print ISBN: 978-3-319-99827-5

Electronic ISBN: 978-3-319-99828-2

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-99828-2_7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner