Your SlideShare is downloading. ×
  • Like
Distributed computing in browsers as client side attack
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Distributed computing in browsers as client side attack

  • 2,016 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
2,016
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
16
Comments
3
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Distributed computingas a client-side attackDEFCON Russia, DCG-781221/02/2013 Saint-Petersburg, Yandex
  • 2. Browsers security basics● Same Origin Policy● Content Security Policy● SSL/PKI features ...● And what about PC resources ?
  • 3. Resources which availableto site through browser● CPU/GPU utilization● RAM● Local storages● Network connections
  • 4. Resources which availableto site through browser● CPU/GPU utilization● RAM● Local storages● Network connections <- nothing new
  • 5. Distributed computing inbrowsers not so new theme● Browser-based distributed evolutionary computation: performance and scaling behavior [2007] ○ http://dl.acm.org/citation.cfm?id=1274083● Unwitting distributed genetic programming via asynchronous JavaScript and XML [2007] ○ http://dl.acm.org/citation.cfm?id=1277282
  • 6. But its may be used as aclient-side attack● XSS● CSRF● SWF malware via ad-networks● Cache-poisoning● CDN hacks
  • 7. CPU/GPU usagerestrictions● Max execution time per page● Freeze timeouts● Problems for user (cursor freeze, etc)
  • 8. CPU/GPU usagerestrictions bypasses● Web workers● Low content transferring● Distracting users attention (i.e. video)
  • 9. ● Classic COOKIES● Web Storage (HTML5, localStorage, sessionStorage objects)● FileAPI (HTML5)● Flash Local Shared Objects (LSO, flash cookies)
  • 10. Local storages restrictions
  • 11. Local storages restrictions● Flash Local Shared Objects (LSO, flash cookies): 50Kb per domain● Freeze timeout● Problems for user (cursor freeze, etc)
  • 12. Where i can store myrainbows?● 100000 subdomains ○ 10000 * 50Kb = 5Gb per each clients browser (5-10 minutes to fill it)● 500 unique visitors on your blog ○ 500 * 5Gb = 2.5Tb data for you ;)
  • 13. How fast JavaScript?● MD5 (http://jsperf.com/md5-shootout)● MacBook Air mid 2011 http://support.apple. com/kb/SP631
  • 14. JavaScript vs HD6990● AMD Radeon HD6990 + oclHashcat-lite: ○ 11*10^9 ops/sec● MacBook Air mid 2011 + jkm JS + Chrome 24.0.1312 ○ 2,4*10^5 ops/sec (less than 5*10^4 times) = x 50000
  • 15. How fast Flash?http://www.blooddy.by/ru/crypto/benchmark/● SHA-256 ○ mx.utils.SHA256 ○ as3corelib ○ blooddy● MD5 ○ as3corelib ○ blooddy
  • 16. How fast Flash?http://www.blooddy.by/ru/crypto/benchmark/● SHA-256 ○ mx.utils.SHA256 ○ as3corelib ○ blooddy [x8 faster]● MD5 ○ as3corelib ○ blooddy [x10 faster]
  • 17. How fast Flash?
  • 18. How fast Flash?Make it faster using optimization! Or not :)))● None - 1,7*10^5 ops/sec● Level 1 - 1,7*10^5● Level 2 - 1,7*10^5
  • 19. ???@ONsec_Lab [http://lab.ONsec.ru]@d0znppd0znpp@onsec.ru