Advertisement

SEISMIC: SEcure In-lined Script Monitors for Interrupting Cryptojacks

  • Wenhao Wang
  • Benjamin Ferrell
  • Xiaoyang Xu
  • Kevin W. Hamlen
  • Shuang Hao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11099)

Abstract

A method of detecting and interrupting unauthorized, browser-based cryptomining is proposed, based on semantic signature-matching. The approach addresses a new wave of cryptojacking attacks, including XSS-assisted, web gadget-exploiting counterfeit mining. Evaluation shows that the approach is more robust than current static code analysis defenses, which are susceptible to code obfuscation attacks. An implementation based on in-lined reference monitoring offers a browser-agnostic deployment strategy that is applicable to average end-user systems without specialized hardware or operating systems.

Keywords

Web security WebAssembly Cryptomining Intrusion detection In-lined reference monitors 

Notes

Acknowledgments

This research was supported in part by NSF award #1513704, ONR award N00014-17-1-2995, AFOSR award FA9550-14-1-0173, and an NSF I/UCRC award from Lockheed-Martin.

References

  1. 1.
    Androulaki, E., Karame, G., Capkun, S.: Hiding transaction amounts and balances in Bitcoin. In: Proceedings of the 7th ACM International Conference on Trust and Trustworthy Computing (TRUST), pp. 161–178 (2014)Google Scholar
  2. 2.
    Backes, M., Kate, A., Maffei, M.: ObliviAd: provably secure and practical online behavioral advertising. In: Proceedings of the 33th IEEE Symposium on Security and Privacy (S&P), pp. 257–271 (2012)Google Scholar
  3. 3.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70542-0_2CrossRefGoogle Scholar
  4. 4.
    Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: SoK: research perspectives and challenges for Bitcoin and cryptocurrencies. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P), pp. 104–121 (2015)Google Scholar
  5. 5.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 26th IEEE Symposium on Security & Privacy (S&P), pp. 32–46 (2005)Google Scholar
  6. 6.
    Conti, M., Gangwal, A., Ruj, S.: On the economic significance of ransomware campaigns: a Bitcoin transactions perspective (2018). arXiv:1804.01341
  7. 7.
    DeMocker, J.: WebAssembly support now shipping in all major browsers. Mozilla Blog, November 2017Google Scholar
  8. 8.
    Erlingsson, Ú., Schneider, F.B.: SASI enforcement of security policies: a retrospective. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 87–95 (1999)Google Scholar
  9. 9.
    Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based cryptojacking. In: Proceedings of the 2nd IEEE Security & Privacy on the Blockchain Workshop IEEE (S&B) (2018)Google Scholar
  10. 10.
    Gelernter, N., Herzberg, A.: Cross-site search attacks. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), pp. 1394–1405 (2015)Google Scholar
  11. 11.
    Goodin, D.: Now even YouTube serves ads with CPU-draining cryptocurrency miners. Ars Technica, January 2018Google Scholar
  12. 12.
    Gundy, M.V., Chen, H.: Noncespaces: using randomization to defeat cross-site scripting attacks. Comput. Secur. 31(4), 612–628 (2012)CrossRefGoogle Scholar
  13. 13.
    Gupta, S., Gupta, B.: Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. 8(1), 512–530 (2017)CrossRefGoogle Scholar
  14. 14.
    Haas, A., et al.: Bringing the web up to speed with WebAssembly. In: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 185–200 (2017)Google Scholar
  15. 15.
    Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. (TOPLAS) 28(1), 175–205 (2006)CrossRefGoogle Scholar
  16. 16.
    Heiderich, M., Späth, C., Schwenk, J.: DOMPurify: client-side protection against XSS and markup injection. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 116–134. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66399-9_7CrossRefGoogle Scholar
  17. 17.
    Hruska, J.: Browser-based mining malware found on Pirate Bay, other sites. ExtremeTech, September 2017Google Scholar
  18. 18.
    Huang, D.Y., et al.: Botcoin: monetizing stolen cycles. In: Proceedings of the 21st Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  19. 19.
    Kafeine. Smominru Monero mining botnet making millions for operators. ProofPoint Threat Insight, January 2018Google Scholar
  20. 20.
    Karame, G., Androulaki, E., Capkun, S.: Double-spending fast payments in Bitcoin. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 906–917 (2012)Google Scholar
  21. 21.
    Keramidas, R.: Stop coin mining in the browser with No Coin, September 2017. https://ker.af/stop-coin-mining-in-the-browser-with-no-coin
  22. 22.
    Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Proceedings of the 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 174–187 (2005)Google Scholar
  23. 23.
    Lau, H.: Browser-based cryptocurrency mining makes unexpected return from the dead. Sympantec Threat Intelligence, December 2017Google Scholar
  24. 24.
    Lekies, S., Kotowicz, K., Groß, S., Nava, E.V., Johns, M.: Code-reuse attacks for the web: breaking cross-site scripting mitigations via script gadgets. In: Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), pp. 1709–1723 (2017)Google Scholar
  25. 25.
    Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)Google Scholar
  26. 26.
    Li, Z., Zhang, K., Xie, Y., Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 906–917 (2012)Google Scholar
  27. 27.
    Liao, K., Zhao, Z., Doupé, A., Ahn, G.-J.: Behind closed doors: measurement and analysis of cryptolocker ransoms in Bitcoin. In: Proceedings of the 11th APWG Symposium on Electronic Crime Research (eCrime), pp. 1–13 (2016)Google Scholar
  28. 28.
    Liao, S.: Showtime websites secretly mined user CPU for cryptocurrency. The Verge, September 2017Google Scholar
  29. 29.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(3), 19 (2009)CrossRefGoogle Scholar
  30. 30.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P), pp. 331–346 (2009)Google Scholar
  31. 31.
    McMillen, D.: Network attacks containing cryptocurrency CPU mining tools grow sixfold. IBM X-Force SecurityIntelligence, September 2017Google Scholar
  32. 32.
    Meshkov, A.: Cryptojacking surges in popularity growing by 31% over the past month. AdGuard Research, November 2017Google Scholar
  33. 33.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pp. 421–430 (2007)Google Scholar
  34. 34.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the 21st Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  35. 35.
    Neumann, R., Toro, A.: In-browser mining: Coinhive and WebAssembly. Forcepoint Security Labs, April 2018. https://blogs.forcepoint.com/security-labs/browser-mining-coinhive-and-webassembly
  36. 36.
    OAG, New Jersey. New Jersey Division of Consumer Affairs obtains settlement with developer of Bitcoin-mining software found to have accessed New Jersey computers without users’ knowledge or consent. Office of the Attorney General, Department of Law & Public Safety, State of New Jersey, May 2015Google Scholar
  37. 37.
    Phung, P.H., Monshizadeh, M., Sridhar, M., Hamlen, K.W., Venkatakrishnan, V.: Between worlds: securing mixed JavaScript/ActionScript multi-party web content. IEEE Trans. Dependable Secur. Comput. TDSC 12(4), 443–457 (2015)CrossRefGoogle Scholar
  38. 38.
    Rowe, N.C.: The attribution of cyber warfare. In: Green, J.A. (eds.) Cyber Warfare: A multidisciplinary Analysis, Routledge Studies in Conflict, Security and Technology. Routledge (2015)Google Scholar
  39. 39.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(1), 30–50 (2000)CrossRefGoogle Scholar
  40. 40.
    Sridhar, M., Hamlen, K.W.: ActionScript in-lined reference monitoring in prolog. In: Carro, M., Peña, R. (eds.) PADL 2010. LNCS, vol. 5937, pp. 149–151. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11503-5_13CrossRefGoogle Scholar
  41. 41.
    Sridhar, M., Hamlen, K.W.: Model-checking in-lined reference monitors. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 312–327. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11319-2_23CrossRefzbMATHGoogle Scholar
  42. 42.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web WWW, pp. 921–930 (2010)Google Scholar
  43. 43.
    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: automating evaluation and exploitation of command injection vulnerabilities in web applications. Int. J. Inf. Secur. 1–24 (2018)Google Scholar
  44. 44.
    Stock, B., Johns, M., Steffens, M., Backes, M.: How the web tangled itself: uncovering the history of client-side Web (in)security. In: Proceedings of the 26th USENIX Security Symposium, pp. 971–987 (2017)Google Scholar
  45. 45.
    Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Proceedings of the 23rd USENIX Security Symposium, pp. 655–670 (2014)Google Scholar
  46. 46.
    Szalachowski, P.: Towards more reliable Bitcoin timestamps (2018). arXiv:1803.09028
  47. 47.
    Tahir, R., et al.: Mining on someone else’s dime: mitigating covert mining operations in clouds and enterprises. In: Proceedings of the 20th International Symposium on Research in Attacks, Intrusions, and Defenses RAID, pp. 287–310 (2017)Google Scholar
  48. 48.
    van Saberhagen, N.: CryptoNote v 2.0. Technical report, CryptoNote Technology, October 2013Google Scholar
  49. 49.
    Virvilis, N., Mylonas, A., Tsalis, N., Gritzalis, D.: Security busters: web browser security vs. suspicious sites. Comput. Secur. 52, 90–105 (2015)CrossRefGoogle Scholar
  50. 50.
    WebAssembly Community Group. Security (2018). http://webassembly.org/docs/security
  51. 51.
    Weinberger, J., Barth, A., Song, D.: Towards client-side HTML security policies. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security (HotSec), p. 8 (2011)Google Scholar
  52. 52.
    WhiteHat Security. Application security statistics report, vol. 12 (2017)Google Scholar
  53. 53.
    Wu, Z., Gianvecchio, S., Xie, M., Wang, H.: Mimimorphism: a new approach to binary code obfuscation. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pp. 536–546 (2010)Google Scholar
  54. 54.
    Xu, W., Zhang, F., Zhu, S.: JStill: mostly static detection of obfuscated malicious JavaScript code. In: Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 117–128 (2013)Google Scholar
  55. 55.
    Yang, G., Mendoza, A., Zhang, J., Gu, G.: Precisely and scalably vetting JavaScript bridge in android hybrid apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 143–166. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66332-6_7CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Wenhao Wang
    • 1
  • Benjamin Ferrell
    • 1
  • Xiaoyang Xu
    • 1
  • Kevin W. Hamlen
    • 1
  • Shuang Hao
    • 1
  1. 1.The University of Texas at DallasRichardsonUSA

Personalised recommendations