Abstract
WebGL is a browser feature that enables JavaScript-based control of the graphics processing unit (GPU) to render interactive 3D and 2D graphics, without the use of plug-ins. Exploiting WebGL for attacks will affect billions of users since browsers serve as the main interaction mechanism with the world wide web. This paper explores the potential threats derived from the recent move by browsers from WebGL 1.0 to the more powerful WebGL 2.0. We focus on the possible abuses of this feature in the context of distributed cryptocurrency mining. Our evaluation of the attacks also includes the practical aspects of successful attacks, such as stealthiness and user-experience. Considering the danger of WebGL abuse, as observed in the experiments, we designed and evaluated a proactive defense. We implemented a Chrome extension that proved itself effective in detecting and blocking WebGL. We demonstrate the major improvements of WebGL 2.0 and our results show that it is possible to use WebGL 2.0 in distributed attacks under real-world conditions. Although WebGL 2.0 shows similar hash rates as CPU-based techniques, WebGL 2.0 proved to be significantly harder to detect and has a lesser effect on user experience.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AdBlock Extension. https://getadblock.com/
Coinhive – Monero JavaScript Mining. https://coinhive.com/
CryptoNote - the next generation cryptocurrency. https://cryptonote.org/
Keccak Team. https://keccak.team/keccak.html
MongoDB. https://www.mongodb.com/
Node.js. https://nodejs.org
The Skein Hash Function Family. http://www.skein-hash.info/
WebAssembly High-Level Goals. https://github.com/WebAssembly/design/blob/master/HighLevelGoals.md
Home—Monero - secure, private, untraceable (2014). https://getmonero.org/
Alcantara, D.A., et al.: Real-time parallel hashing on the GPU. ACM Trans. Grap. (TOG) 28(5), 154 (2009)
Belkin, A., Gelernter, N., Cidon, I.: The risks of WebGL: analysis, evaluation and detection (2019). https://arxiv.org/abs/1904.13071
Blanchou, M.: Harnessing GPUs building better browser based botnets. Black Hat Europe (2013)
Blockgeeks: What Is Hashing? Under the Hood of Blockchain (2017). https://blockgeeks.com/guides/what-is-hashing/
Dorsey, B.: Browser as botnet, or the coming war on your web browser (2018). https://medium.com/@brannondorsey/browser-as-botnet-or-the-coming-war-on-your-web-browser-be920c4f718
Krebs, B.: Who and What Is Coinhive? (2018). https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/
Check Point Research Team: Crypto Miners - The Silent CPU Killer of 2017 (2017). https://blog.checkpoint.com/2017/10/23/crypto-miners-the-silent-cpu-killer-of-2017
CryptoNote: CryptoNight Hash Function (2013). https://cryptonote.org/cns/cns008.txt
Jackson, D.: WebGL 1.0 specification, October 2014. https://www.khronos.org/registry/webgl/specs/1.0/
Jackson, D., Gilbert, J.: WebGL 2.0 specification, November 2016. https://www.khronos.org/registry/webgl/specs/latest/2.0/
Gómez, E.: Monero (XMR) on the rise following its inclusion in the darknet market AlphaBay (2016). https://themerkle.com/monero-xmr-on-the-rise-following-its-inclusion-in-the-darknet-market-alphabay/
Erkkilä, J.P.: Websocket security analysis, pp. 2–3. Aalto University School of Science (2012)
Federal Information Processing Standards Publication 197, NIST: Announcing the Advanced Encryption Standard (2001). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
Gelernter, N., Grinstein, Y., Herzberg, A.: Cross-site framing attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 161–170. ACM (2015)
Goethem, T.V., Vanhoef, M., Piessens, F., Joosen, W.: Request and conquer: exposing cross-origin resource size. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, USA, pp. 447–462, August 2016
Groestl Team: Hash function Groestl - SHA-3 candidate. http://www.groestl.info/
Hong, G., et al.: How you get shot in the back: a systematical study about cryptojacking in the real world (2018)
Wu, H.: Hash Function JH. http://www3.ntu.edu.sg/home/wuhj/research/jh/index.html
Rüth, J., Zimmermann, T., Wolsing, K., Hohlfeld, O.: Digging into browser-based crypto mining (2018)
Grunzweig, J.: The rise of the cryptocurrency miners (2018). https://researchcenter.paloaltonetworks.com/2018/06/unit42-rise-cryptocurrency-miners/
JP Buntinx: The early history of Monero in 500 words (2017). https://themerkle.com/the-early-history-of-monero-in-500-words/
Segura, J.: Persistent drive-by cryptomining coming to a browser near you (2017). https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/
Konoth, R.K., et al.: MineSweeper: an in-depth look into drive-by cryptocurrency mining and its defense (2018)
Kudelski Security: The BLAKE2 cryptographic hash and message authentication code (2015). https://tools.ietf.org/html/rfc7693
Lam, V., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: misusing web browsers as a distributed attack infrastructure. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 221–234. ACM (2006)
Lee, S., Kim, H., Kim, J.: Identifying cross-origin resource status using application cache. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015 (2015)
Xu, L., Intel Corporation: Securing the enterprise with Intel AES-NI (2010). https://www.intel.com/content/dam/doc/white-paper/enterprise-security-aes-ni-white-paper.pdf
Nadeau, M.: What is cryptojacking? How to prevent, detect, and recover from it. https://www.csoonline.com/article/3253572/internet/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html
Mozilla Developer Network: Cache API. https://developer.mozilla.org/en-US/docs/Web/API/Cache
Mozilla Developer Network: Using web workers. https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers
Mozilla Developer Network: WebGL. https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API
Gelernter, N.: Timing attacks have never been so practical: advanced cross-site search attacks. Black Hat USA (2016)
Papadopoulos, P., Ilia, P., Polychronakis, M., Markatos, E.P., Ioannidis, S., Vasiliadis, G.: Master of web puppets: abusing web browsers for persistent and stealthy computation (2018)
Pellegrino, G., Rossow, C., Ryba, F.J., Schmidt, T.C., Wählisch, M.: Cashing out the great cannon? On browser-based DDoS attacks and economics. In: 9th USENIX Workshop on Offensive Technologies (WOOT 2015) (2015)
Hackett, R.: Popular google chrome extension caught mining cryptocurrency on thousands of computers (2018). http://fortune.com/2018/01/02/google-chrome-extension-cryptocurrency-mining-monero/
Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based cryptojacking (2018)
Taylor, M.B.: Bitcoin and the age of bespoke silicon. In: Proceedings of the 2013 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, p. 16. IEEE Press (2013)
Van Goethem, T., Joosen, W., Nikiforakis, N.: The clock is still ticking: timing attacks in the modern web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1382–1393. ACM (2015)
W3C: Service Workers, June 2015. https://www.w3.org/TR/service-workers/
W3C: Web Notifications, October 2015. https://www.w3.org/TR/notifications/
WASM: WebAssembly. https://webassembly.org/
Acknowledgements
This research was supported by a grant from the Ministry of Science and Technology, Israel.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Belkin, A., Gelernter, N., Cidon, I. (2019). The Risks of WebGL: Analysis, Evaluation and Detection. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)