Abstract
JavaScript execution and UI rendering are typically single-threaded; thus, the execution of some scripts can block the display of requested content to the browser screen. Web Workers is an API that enables web applications to spawn background workers in parallel to the main page. Despite the usefulness of concurrency, users are unaware of worker execution, intent, and impact on system resources. We show that workers can be used to abuse system resources by implementing a unique denial-of-service attack and resource depletion attack. We also show that workers can be used to perform stealthy computation and create covert channels. We discuss potential mitigations and implement a preliminary solution to increase user awareness of worker execution.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Networked medical devices to exceed 14 million unit sales in 2018, December 2013. https://www.parksassociates.com/blog/article/dec2013-medical-devices
Html5 security cheat sheet, April 2014. https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Web_Workers/
Aboukhadijeh, F.: Using the HTML5 fullscreen api for phishing attacks, October 2012. http://feross.org/html5-fullscreen-api-attack/. Accessed 27 May 2014
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, pp. 290–304. IEEE Computer Society (2010). http://dx.doi.org/10.1109/CSF.2010.27
Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: Proceedings of the 21st USENIX Conference on Security Symposium, p. 23, August 2012. http://dl.acm.org/citation.cfm?id=2362793.2362816
Biniok, J.: Hash me if you can - a bitcoin miner that supports pure javscript, webworker and webgl mining (2015). https://github.com/derjanb/hamiyoca
Cabuk, S., Brodley, C.E., Shields, C.: Ip covert timing channels: Design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 04, pp. 178–187. ACM, New York (2004). http://doi.acm.org/10.1145/1030083.1030108
Clark, S.S., Ransford, B., Rahmati, A., Guineau, S., Sorber, J., Xu, W., Fu, K.: Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: Presented as part of the 2013 USENIX Workshop on Health Information Technologies, USENIX (2013)
Glasser, D.: An interesting kind of javascript memory leak (2014). http://info.meteor.com/blog/an-interesting-kind-of-javascript-memory-leak
Group, W.H.A.T.W.: Web workers, July 2014. http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html
Hickson, I.: Web workers editor’s draft, 19 May 2014. http://www.w3.org/TR/workers/
Huskamp, J.C.: Covert communication channels in timesharing systems. Ph.D. thesis, California Univ., Berkeley (1978)
Kuppan, L.: Attacking with HTML5. In: Black Hat Abu Dhabi, October 2010. https://www.usenix.org/conference/healthsec12/workshop-program/presentation/Chang
Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973). http://doi.acm.org/10.1145/362375.362389
Rowland, C.H.: Covert channels in the tcp/ip protocol suite. First Monday B(5) (1997). http://firstmonday.org/ojs/index.php/fm/article/view/528
Sacco, A., Muttis, F.: Html5 heap sprays, pwn all the things (2012). https://eusecwest.com/speakers.html, eUSecWest
Son, S., Shmatikov, V.: The postman always rings twice: Attacking and defending postmessage in html5 websites. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2013). http://dblp.uni-trier.de/db/conf/ndss/ndss2013.html#SonS13
Tian, Y., Liu, Y.C., Bhosale, A., Huang, L.S., Tague, P., Jackson, C.: All your screens are belong to us: Attacks exploiting the HTML5 screen sharing api. In: Proceedings of the 35th Annual IEEE Symposium on Security and Privacy (SP 2014), May 2014
Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 9. USENIX Association, Berkeley (2012). http://dl.acm.org/citation.cfm?id=2362793.2362802
Acknowledgments
This research was funded by the National Science Foundation under award number CNS-1329737. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the sponsors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix: Health and Medical Systems
Health and medical systems are increasingly becoming networked. An industry report by Parks Associates predicts that networked medical systems will exceed 14 million sales in 2018 [1]. These medical systems often employ commodity operating systems such as Windows Embedded and can access and be accessed over the internet.
We investigate the effects of running stealthy computation on Baxa ExactaMix. The Baxa ExactaMix is an embedded health and medical system that mixes total parenteral nutrition and other multi-ingredient solutions. The compounder runs Windows XP Embedded 2002 Service Pack 2 and has a 664 MHz VIA C5\(\,\times \,\)86 CPU with 496 MB of memory [8]. It also has Internet Explorer version 6.0, which does not support HTML5 APIs. However, since the Baxa ExactaMix can access the internet, we can install a modern browser. We installed Firefox 29 at the time of this experiment. We note that modern medical systems use more recent operating systems and thus support Web Workers without installing a third-party browser.
In our experiment, we first start the Baxa ExactaMix and wait for it to run its clinical software. We then begin measuring the CPU, memory, and swap usage of the device to establish a baseline of activity. Next, we launch Firefox and navigate to a website that we control. This website uses a worker to perform our stealthy computation, specifically, the DoS attack we describe earlier in Sect. 5. We continue our measurements for 3 min.
Results. We note a clear delineation between pre- and post-worker computation in Fig. 5. Memory and swap usage are at 60 % and 20 %, respectively, when the Baxa ExactaMix first starts. As this is a single-core device, the CPU utilization remains high for the entire experiment because all processes are scheduled to execute on the same core. We note linearly increasing memory usage and a near-instantaneous spike in swap usage to 60 % when we visit our website that performs the stealthy computation.
Appendix: Linux Stealthy Computation
We experiment with stealthy computation on other operating systems. We find that Chrome 48.0.2564.103 and Firefox 41.0.2 in Ubuntu 15.10 both allow stealthy computation using web workers. Figure 6 illustrates CPU and memory throttling in Chrome and Firefox. We can use these primitives to implement our covert channel as described in Sect. 6.
We also test our DoS attack described in Sect. 5.1. This attack does not work in Ubuntu, and Linux in general, because of how virtual memory and processes are managed. Specifically, virtual memory consists both of RAM and swap space. Swap space is managed as a file or partition on the hard disk, and holds inactive memory pages. We fill the swap to its maximum allowed space and note that the system becomes unresponsive. However, modern Linux distributions will terminate processes that consume resources, thus, we notice that free memory decreases and then rapidly increases when the process is killed in Fig. 6.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Rushanan, M., Russell, D., Rubin, A.D. (2016). MalloryWorker: Stealthy Computation and Covert Channels Using Web Workers. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-46598-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)