Your SlideShare is downloading. ×
0
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Distributed computing in browsers as client side attack

2,156

Published on

3 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,156
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
17
Comments
3
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Distributed computingas a client-side attackDEFCON Russia, DCG-781221/02/2013 Saint-Petersburg, Yandex
  2. Browsers security basics● Same Origin Policy● Content Security Policy● SSL/PKI features ...● And what about PC resources ?
  3. Resources which availableto site through browser● CPU/GPU utilization● RAM● Local storages● Network connections
  4. Resources which availableto site through browser● CPU/GPU utilization● RAM● Local storages● Network connections <- nothing new
  5. Distributed computing inbrowsers not so new theme● Browser-based distributed evolutionary computation: performance and scaling behavior [2007] ○ http://dl.acm.org/citation.cfm?id=1274083● Unwitting distributed genetic programming via asynchronous JavaScript and XML [2007] ○ http://dl.acm.org/citation.cfm?id=1277282
  6. But its may be used as aclient-side attack● XSS● CSRF● SWF malware via ad-networks● Cache-poisoning● CDN hacks
  7. CPU/GPU usagerestrictions● Max execution time per page● Freeze timeouts● Problems for user (cursor freeze, etc)
  8. CPU/GPU usagerestrictions bypasses● Web workers● Low content transferring● Distracting users attention (i.e. video)
  9. ● Classic COOKIES● Web Storage (HTML5, localStorage, sessionStorage objects)● FileAPI (HTML5)● Flash Local Shared Objects (LSO, flash cookies)
  10. Local storages restrictions
  11. Local storages restrictions● Flash Local Shared Objects (LSO, flash cookies): 50Kb per domain● Freeze timeout● Problems for user (cursor freeze, etc)
  12. Where i can store myrainbows?● 100000 subdomains ○ 10000 * 50Kb = 5Gb per each clients browser (5-10 minutes to fill it)● 500 unique visitors on your blog ○ 500 * 5Gb = 2.5Tb data for you ;)
  13. How fast JavaScript?● MD5 (http://jsperf.com/md5-shootout)● MacBook Air mid 2011 http://support.apple. com/kb/SP631
  14. JavaScript vs HD6990● AMD Radeon HD6990 + oclHashcat-lite: ○ 11*10^9 ops/sec● MacBook Air mid 2011 + jkm JS + Chrome 24.0.1312 ○ 2,4*10^5 ops/sec (less than 5*10^4 times) = x 50000
  15. How fast Flash?http://www.blooddy.by/ru/crypto/benchmark/● SHA-256 ○ mx.utils.SHA256 ○ as3corelib ○ blooddy● MD5 ○ as3corelib ○ blooddy
  16. How fast Flash?http://www.blooddy.by/ru/crypto/benchmark/● SHA-256 ○ mx.utils.SHA256 ○ as3corelib ○ blooddy [x8 faster]● MD5 ○ as3corelib ○ blooddy [x10 faster]
  17. How fast Flash?
  18. How fast Flash?Make it faster using optimization! Or not :)))● None - 1,7*10^5 ops/sec● Level 1 - 1,7*10^5● Level 2 - 1,7*10^5
  19. ???@ONsec_Lab [http://lab.ONsec.ru]@d0znppd0znpp@onsec.ru

×