MalloryWorker: Stealthy Computation and Covert Channels Using Web Workers

Rushanan, Michael; Russell, David; Rubin, Aviel D.

doi:10.1007/978-3-319-46598-2_14

MalloryWorker: Stealthy Computation and Covert Channels Using Web Workers

Michael Rushanan¹⁶,
David Russell¹⁶ &
Aviel D. Rubin¹⁶

Conference paper
First Online: 17 September 2016

791 Accesses
4 Citations
4 Altmetric

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9871))

Abstract

JavaScript execution and UI rendering are typically single-threaded; thus, the execution of some scripts can block the display of requested content to the browser screen. Web Workers is an API that enables web applications to spawn background workers in parallel to the main page. Despite the usefulness of concurrency, users are unaware of worker execution, intent, and impact on system resources. We show that workers can be used to abuse system resources by implementing a unique denial-of-service attack and resource depletion attack. We also show that workers can be used to perform stealthy computation and create covert channels. We discuss potential mitigations and implement a preliminary solution to increase user awareness of worker execution.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

Networked medical devices to exceed 14 million unit sales in 2018, December 2013. https://www.parksassociates.com/blog/article/dec2013-medical-devices
Html5 security cheat sheet, April 2014. https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Web_Workers/
Aboukhadijeh, F.: Using the HTML5 fullscreen api for phishing attacks, October 2012. http://feross.org/html5-fullscreen-api-attack/. Accessed 27 May 2014
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, pp. 290–304. IEEE Computer Society (2010). http://dx.doi.org/10.1109/CSF.2010.27
Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: Proceedings of the 21st USENIX Conference on Security Symposium, p. 23, August 2012. http://dl.acm.org/citation.cfm?id=2362793.2362816
Biniok, J.: Hash me if you can - a bitcoin miner that supports pure javscript, webworker and webgl mining (2015). https://github.com/derjanb/hamiyoca
Cabuk, S., Brodley, C.E., Shields, C.: Ip covert timing channels: Design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 04, pp. 178–187. ACM, New York (2004). http://doi.acm.org/10.1145/1030083.1030108
Clark, S.S., Ransford, B., Rahmati, A., Guineau, S., Sorber, J., Xu, W., Fu, K.: Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: Presented as part of the 2013 USENIX Workshop on Health Information Technologies, USENIX (2013)
Google Scholar
Glasser, D.: An interesting kind of javascript memory leak (2014). http://info.meteor.com/blog/an-interesting-kind-of-javascript-memory-leak
Group, W.H.A.T.W.: Web workers, July 2014. http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html
Hickson, I.: Web workers editor’s draft, 19 May 2014. http://www.w3.org/TR/workers/
Huskamp, J.C.: Covert communication channels in timesharing systems. Ph.D. thesis, California Univ., Berkeley (1978)
Google Scholar
Kuppan, L.: Attacking with HTML5. In: Black Hat Abu Dhabi, October 2010. https://www.usenix.org/conference/healthsec12/workshop-program/presentation/Chang
Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973). http://doi.acm.org/10.1145/362375.362389
Google Scholar
Rowland, C.H.: Covert channels in the tcp/ip protocol suite. First Monday B(5) (1997). http://firstmonday.org/ojs/index.php/fm/article/view/528
Sacco, A., Muttis, F.: Html5 heap sprays, pwn all the things (2012). https://eusecwest.com/speakers.html, eUSecWest
Son, S., Shmatikov, V.: The postman always rings twice: Attacking and defending postmessage in html5 websites. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2013). http://dblp.uni-trier.de/db/conf/ndss/ndss2013.html#SonS13
Tian, Y., Liu, Y.C., Bhosale, A., Huang, L.S., Tague, P., Jackson, C.: All your screens are belong to us: Attacks exploiting the HTML5 screen sharing api. In: Proceedings of the 35th Annual IEEE Symposium on Security and Privacy (SP 2014), May 2014
Google Scholar
Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 9. USENIX Association, Berkeley (2012). http://dl.acm.org/citation.cfm?id=2362793.2362802

Download references

Acknowledgments

This research was funded by the National Science Foundation under award number CNS-1329737. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the sponsors.

Author information

Authors and Affiliations

Department of Computer Science, Johns Hopkins University, Baltimore, MD, USA
Michael Rushanan, David Russell & Aviel D. Rubin

Authors

Michael Rushanan
View author publications
You can also search for this author in PubMed Google Scholar
David Russell
View author publications
You can also search for this author in PubMed Google Scholar
Aviel D. Rubin
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Rushanan .

Editor information

Editors and Affiliations

IMDEA Software Institute , Pozuelo de Alarcón, Madrid, Spain
Gilles Barthe
Dept Comp Sci, Vassilika Vouton, Univ of Crete Dept Comp Sci, Vassilika Vouton, Heraklion, Crete, Greece
Evangelos Markatos
Dipto di Informatica, Univ degli Studi di Milano Dipto di Informatica, Crema, Italy
Pierangela Samarati

Appendices

Appendix: Health and Medical Systems

Health and medical systems are increasingly becoming networked. An industry report by Parks Associates predicts that networked medical systems will exceed 14 million sales in 2018 [1]. These medical systems often employ commodity operating systems such as Windows Embedded and can access and be accessed over the internet.

We investigate the effects of running stealthy computation on Baxa ExactaMix. The Baxa ExactaMix is an embedded health and medical system that mixes total parenteral nutrition and other multi-ingredient solutions. The compounder runs Windows XP Embedded 2002 Service Pack 2 and has a 664 MHz VIA C5\(\,\times \,\)86 CPU with 496 MB of memory [8]. It also has Internet Explorer version 6.0, which does not support HTML5 APIs. However, since the Baxa ExactaMix can access the internet, we can install a modern browser. We installed Firefox 29 at the time of this experiment. We note that modern medical systems use more recent operating systems and thus support Web Workers without installing a third-party browser.

In our experiment, we first start the Baxa ExactaMix and wait for it to run its clinical software. We then begin measuring the CPU, memory, and swap usage of the device to establish a baseline of activity. Next, we launch Firefox and navigate to a website that we control. This website uses a worker to perform our stealthy computation, specifically, the DoS attack we describe earlier in Sect. 5. We continue our measurements for 3 min.

Results. We note a clear delineation between pre- and post-worker computation in Fig. 5. Memory and swap usage are at 60 % and 20 %, respectively, when the Baxa ExactaMix first starts. As this is a single-core device, the CPU utilization remains high for the entire experiment because all processes are scheduled to execute on the same core. We note linearly increasing memory usage and a near-instantaneous spike in swap usage to 60 % when we visit our website that performs the stealthy computation.

Appendix: Linux Stealthy Computation

We experiment with stealthy computation on other operating systems. We find that Chrome 48.0.2564.103 and Firefox 41.0.2 in Ubuntu 15.10 both allow stealthy computation using web workers. Figure 6 illustrates CPU and memory throttling in Chrome and Firefox. We can use these primitives to implement our covert channel as described in Sect. 6.

We also test our DoS attack described in Sect. 5.1. This attack does not work in Ubuntu, and Linux in general, because of how virtual memory and processes are managed. Specifically, virtual memory consists both of RAM and swap space. Swap space is managed as a file or partition on the hard disk, and holds inactive memory pages. We fill the swap to its maximum allowed space and note that the system becomes unresponsive. However, modern Linux distributions will terminate processes that consume resources, thus, we notice that free memory decreases and then rapidly increases when the process is killed in Fig. 6.

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Rushanan, M., Russell, D., Rubin, A.D. (2016). MalloryWorker: Stealthy Computation and Covert Channels Using Web Workers. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_14

Download citation

DOI: https://doi.org/10.1007/978-3-319-46598-2_14
Published: 17 September 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics