MalloryWorker: Stealthy Computation and Covert Channels Using Web Workers

  • Michael RushananEmail author
  • David Russell
  • Aviel D. Rubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)


JavaScript execution and UI rendering are typically single-threaded; thus, the execution of some scripts can block the display of requested content to the browser screen. Web Workers is an API that enables web applications to spawn background workers in parallel to the main page. Despite the usefulness of concurrency, users are unaware of worker execution, intent, and impact on system resources. We show that workers can be used to abuse system resources by implementing a unique denial-of-service attack and resource depletion attack. We also show that workers can be used to perform stealthy computation and create covert channels. We discuss potential mitigations and implement a preliminary solution to increase user awareness of worker execution.


Web security Stealthy computation Covert channel 



This research was funded by the National Science Foundation under award number CNS-1329737. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the sponsors.


  1. 1.
    Networked medical devices to exceed 14 million unit sales in 2018, December 2013.
  2. 2.
  3. 3.
    Aboukhadijeh, F.: Using the HTML5 fullscreen api for phishing attacks, October 2012. Accessed 27 May 2014
  4. 4.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, pp. 290–304. IEEE Computer Society (2010).
  5. 5.
    Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: Proceedings of the 21st USENIX Conference on Security Symposium, p. 23, August 2012.
  6. 6.
    Biniok, J.: Hash me if you can - a bitcoin miner that supports pure javscript, webworker and webgl mining (2015).
  7. 7.
    Cabuk, S., Brodley, C.E., Shields, C.: Ip covert timing channels: Design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 04, pp. 178–187. ACM, New York (2004).
  8. 8.
    Clark, S.S., Ransford, B., Rahmati, A., Guineau, S., Sorber, J., Xu, W., Fu, K.: Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: Presented as part of the 2013 USENIX Workshop on Health Information Technologies, USENIX (2013)Google Scholar
  9. 9.
    Glasser, D.: An interesting kind of javascript memory leak (2014).
  10. 10.
  11. 11.
    Hickson, I.: Web workers editor’s draft, 19 May 2014.
  12. 12.
    Huskamp, J.C.: Covert communication channels in timesharing systems. Ph.D. thesis, California Univ., Berkeley (1978)Google Scholar
  13. 13.
    Kuppan, L.: Attacking with HTML5. In: Black Hat Abu Dhabi, October 2010.
  14. 14.
    Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973). Google Scholar
  15. 15.
    Rowland, C.H.: Covert channels in the tcp/ip protocol suite. First Monday B(5) (1997).
  16. 16.
    Sacco, A., Muttis, F.: Html5 heap sprays, pwn all the things (2012)., eUSecWest
  17. 17.
    Son, S., Shmatikov, V.: The postman always rings twice: Attacking and defending postmessage in html5 websites. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2013).
  18. 18.
    Tian, Y., Liu, Y.C., Bhosale, A., Huang, L.S., Tague, P., Jackson, C.: All your screens are belong to us: Attacks exploiting the HTML5 screen sharing api. In: Proceedings of the 35th Annual IEEE Symposium on Security and Privacy (SP 2014), May 2014Google Scholar
  19. 19.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 9. USENIX Association, Berkeley (2012).

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Michael Rushanan
    • 1
    Email author
  • David Russell
    • 1
  • Aviel D. Rubin
    • 1
  1. 1.Department of Computer ScienceJohns Hopkins UniversityBaltimoreUSA

Personalised recommendations