Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Just enough bitcoing to go cryptojacking with JavaScript

Just enough bitcoing to go cryptojacking with JavaScript

Whatever their price, Bitcoin and cryptocurrencies continue to provide interesting technical and security opportunities. This talk gives a comprehensive introduction of bitcoin & cryptocurrency technology, and then analyzes how cryptojacking attacks are executed with JavaScript.

luke crouch

April 12, 2019
Tweet

More Decks by luke crouch

Other Decks in Technology

Transcript

  1. Just enough bitcoin to go
    cryptojacking with Javascript

    View Slide

  2. About me
    Privacy & Security Engineer
    Vice President

    View Slide

  3. View Slide

  4. View Slide

  5. Just enough bitcoin to go
    cryptojacking with Javascript

    View Slide

  6. 2 parts to this talk
    • Cryptocurrency

    • Crypto-jacking attacks with web APIs

    View Slide

  7. Bitcoin and
    Cryptocurrency
    Technologies
    A Comprehensive
    Introduction

    View Slide

  8. Khan Acadmy: Journey into
    cryptography: modern cryptography
    https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

    View Slide


  9. This talk will actually
    cover cryptography

    View Slide


  10. Spoiler Alert:
    There’s no “encryption”
    in cryptocurrencies

    View Slide


  11. This talk will not
    cover the crypto math

    View Slide


  12. (maybe just a little)

    View Slide

  13. The “crypto” in
    cryptocurrency
    • Cryptographic hash functions

    • Hash Pointers

    • Blockchain

    • Public Key Cryptography

    • Digital Signatures

    View Slide

  14. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  15. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  16. H(message)
    hash
    message We the People of the
    United States

    until an election of
    Representatives shall
    have intervened.
    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    View Slide

  17. “hash” function
    • Maps data of arbitrary size into data of a fixed size

    • e.g., justTheFirstLetter(string)

    • justTheFirstLetter(“hash”) // returns h
    • justTheFirstLetter(“function”) // returns f
    • justTheFirstLetter(“returns”) // returns r
    • justTheFirstLetter(“fixed-size”) // returns f

    View Slide

  18. cryptographic hash function
    • resists “collisions”
    • hides original (plaintext) message

    View Slide

  19. “hash” function
    • e.g., justTheFirstLetter(string)

    • justTheFirstLetter(“hash”) // returns h
    • justTheFirstLetter(“function”) // returns f
    • justTheFirstLetter(“returns”) // returns r
    • justTheFirstLetter(“fixed-size”) // returns f

    View Slide

  20. H(message)
    hash collision!
    message “The bearer of this
    note may redeem it
    for one dollar by
    presenting it to me”
    51a6b3
    We the People of the
    United States

    until an election of
    Representatives shall
    have intervened.
    resist collisions: 2 different messages
    shouldn’t produce the same hash

    View Slide

  21. hiding: “1-way” function

    View Slide

  22. 51a6b3
    hiding: given the hash,
    not feasible to find the message
    ?
    ?

    View Slide

  23. H(message)
    easy-to-find hashes
    message
    tails
    3e5368
    heads
    hiding: what if there are only
    2 possible messages?
    22814c

    View Slide

  24. tails
    3e5368
    heads
    hiding: what if there are only
    2 possible messages?
    22814c
    3e5368
    ?
    heads

    View Slide

  25. H(message || nonce)
    hash
    message tails
    dc66ec
    heads
    hiding: add random value:
    “nonce” or “salt”
    0f2c72
    nonce a a

    View Slide

  26. H()
    hash
    message tails
    dc66ec
    heads
    hiding: add random value:
    “nonce”
    0f2c72
    nonce
    tails
    3e5368
    heads
    22814c
    a a

    View Slide

  27. tails
    dc66ec
    heads
    hiding: add random value:
    “nonce”
    0f2c72
    tails
    3e5368
    heads
    22814c
    a a
    tails
    8d23aa
    heads
    15db7d
    b b

    View Slide

  28. ?
    message
    hash dc66ec
    hiding: given the hash, not feasible
    to find the message or nonce
    ?
    ?
    nonce ?

    View Slide

  29. cryptographic hash function

    for cryptocurrency
    • resists “collisions”
    • hides original (plaintext) message
    • for cryptocurrency: “puzzle friendly”

    View Slide

  30. puzzle friendliness
    Given hash output and part of input (i.e., the
    nonce), it’s “hard” (but not infeasible) to find the
    input

    View Slide

  31. hiding vs. puzzle-friendly
    https://stackoverflow.com/questions/42042840/properties-of-a-cryptographic-hash-function

    View Slide

  32. “hard”/“difficult”

    vs.

    “infeasible”

    View Slide

  33. message
    hash dc66ec
    puzzle-friendly: given the hash and
    nonce, hard to find a message
    lots of work
    nonce 123456
    message
    lots of work

    View Slide

  34. openssl to hash messages
    echo “The bearer of this note may
    redeem it for one dollar by presenting
    it to me” | openssl sha256
    51a6b38fd78e5e20246bd0103668056a2a8981274e9487ea3f18158e59b690e7
    echo “We the People of the United
    States … until an election of
    Representatives shall have
    intervened.” | openssl sha256
    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    View Slide

  35. sha256:
    Secure Hash Algorithm
    (with 256-bit digests)

    View Slide

  36. Note: sha256
    is what bitcoin uses!

    View Slide

  37. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  38. H( ) = e3b0c4
    We the People of the
    United States

    until an election of
    Representatives shall
    have intervened.
    hash pointer:
    where full plaintext data is stored, AND a
    cryptographic hash of the data

    View Slide

  39. hash pointers
    enable everyone else to
    verify the truth of the data

    View Slide

  40. so, hashes might give us
    confidentiality - i.e., to
    keep something secret

    View Slide

  41. but these hash pointers
    give us integrity …
    … NOT confidentiality

    View Slide

  42. Remember: there’s not necessarily
    “encryption” (i.e., confidentiality)

    in cryptocurrency

    View Slide

  43. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  44. prev: H()

    e3b0c4
    block chain:
    linked list of hash pointers
    prev: H()

    f4c1d5
    data data
    prev: H()

    05d2e6
    data

    View Slide

  45. Now we can have a tamper-proof
    ledger (of digital dollars)!
    prev: H()

    e3b0c4
    prev: H()

    f4c1d5
    “The bearer of this
    note may redeem it
    for one dollar by
    presenting it to me”
    prev: H()

    05d2e6
    “The bearer of this
    note may redeem it
    for one dollar by
    presenting it to me”
    “The bearer of this
    note may redeem it
    for one dollar by
    presenting it to me”

    View Slide

  46. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  47. Public Key
    Cryptography
    It gives us public & private keys!

    View Slide

  48. Khan Acadmy: Journey into
    cryptography: modern cryptography
    https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

    View Slide

  49. The quick version …

    View Slide

  50. … nevermind, the quick
    version was still too long.

    View Slide

  51. 1-way mathematical function:
    modular exponentiation

    View Slide

  52. Symmetric Encryption requires extra
    communication overhead in Diffie-Hellman
    Key Exchange

    View Slide

  53. Alice has to exchange extra messages
    to establish a unique key with everyone

    View Slide

  54. Alice has to manage tons of
    keys

    View Slide

  55. Instead, Alice needs a

    public “lock” she can copy and share with
    anyone, and a single private “key” …

    View Slide

  56. … to do this, you need a
    “trap door 1-way function”

    View Slide

  57. … a “trap door 1-way function” is a 1-way
    function that is infeasible to reverse …

    View Slide

  58. … a “trap door 1-way function” is a 1-way
    function that is infeasible to reverse … unless
    you have a secret piece of information

    View Slide

  59. mathematical trapdoor 1-way function:
    modular exponentiation and phi

    View Slide

  60. math math math
    • Phi function of large numbers is infeasible to
    calculate, *except* for prime numbers
    • Multiplying large prime numbers is infeasible to
    reverse
    • The “Prime Factorization” problem
    • Euler’s Theorem shows that mphi(n) ≅1 mod n.

    View Slide

  61. math and keys!

    View Slide

  62. Most important to us:
    math says the public key can be public 

    while the secret key stays secret

    View Slide

  63. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  64. digital signatures:
    required properties
    • Only you can sign your
    signature, but anyone can
    verify that it’s valid



    • The signature is attached to a
    single document - it can’t be
    used to indicate you agree to
    a different document

    View Slide

  65. signature = sign(secret key, message)
    “The bearer of this
    note may redeem it
    for one dollar by
    presenting it to me”
    -with love,
    from Luke

    View Slide

  66. valid = verify(public key, message, signature)
    “The bearer of this
    note may redeem it
    for one dollar by
    presenting it to me”
    -with love,
    from Luke

    View Slide

  67. where do
    secret & public keys
    come from?

    View Slide

  68. from decades of
    “math math math”
    written into libraries

    View Slide

  69. openssl to create
    secret & public keys
    openssl ecparam -genkey -name
    secp256k1 -rand /dev/urandom -out \
    /Users/lcrouch/secret_key
    openssl ec -in /Users/lcrouch/
    secret_key -pubout -out \
    /Users/lcrouch/public_key

    View Slide

  70. openssl to
    sign & verify
    openssl dgst -sign secret_key message
    -out luke_dollar.signed
    openssl dgst -verify public_key 

    -signature luke_dollar.signed
    valid

    View Slide

  71. digital signatures
    enable everyone else to verify
    the authenticity of the data

    View Slide

  72. authenticity
    the person writing the
    data

    View Slide

  73. The “crypto” in
    cryptocurrency gives us …
    • Integrity, from
    • Blockchain, from
    • Hash pointers, from
    • Hash functions
    • Authenticity,

    Non-repudiation, from
    • Digital Signatures, from
    • Public Key Cryptography
    … not encryption for
    confidentiality

    View Slide

  74. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  75. Now we have enough
    cryptographic primitives to build
    a (really bad) cryptocurrency

    View Slide

  76. “Goofycoin”
    cryptocurrency

    View Slide

  77. Goofycoin
    1. Designated entity - Goofy - can create new
    coins anytime and coins belong to Goofy
    2. Whoever owns a coin can transfer it to
    someone else

    View Slide

  78. Goofy creates coins
    • Generates unique coin ID: 001
    • Makes message: “CreateCoin 001”
    • Hashes and signs message as H(1) with secret key

    View Slide

  79. Goofy transfers coin to Alice
    • New message:

    “Starting at H(1), PayCoin 001 to Alice”
    • Note: Alice = Alice’s public key / address
    • Hashes and signs message as H(2) with secret key

    View Slide

  80. Alice transfers coin to Bob
    • New message:

    “Starting at H(2), PayCoin 001 to Bob”
    • Note: Bob = Bob’s public key / address
    • Hashes and signs message as H(3) with secret key

    View Slide

  81. Now we can have a tamper-proof
    ledger of transactions!
    CreateCoin
    001
    Goofy
    PayCoin:
    001
    Alice
    Goofy
    H( )
    Alice
    H( )
    PayCoin:
    001
    Bob

    View Slide

  82. Goofycoin
    1. Designated entity - Goofy - can create new
    coins anytime and coins belong to Goofy
    2. Whoever owns a coin can transfer it to
    someone else
    3. Anyone can verify coin ownership by following
    block-chain back to Goofy

    View Slide

  83. Security problem:
    Double-spend

    View Slide

  84. Alice can pay the
    same coin to Chuck
    CreateCoin
    [12345]
    Goofy
    PayCoin:
    [12345]
    Alice
    Goofy
    H( )
    Alice
    H( )
    PayCoin:
    [12345]
    Bob
    Alice
    H( )
    PayCoin:
    [12345]
    Chuck

    View Slide

  85. How do we decide which
    ledger is the truth?

    View Slide

  86. “Scroogecoin”
    cryptocurrency

    View Slide

  87. Scroogecoin
    • Goofycoin +
    • Designated entity - Scrooge - publishes the
    canonical public ledger of all transactions
    • Everyone broadcasts coin transactions to
    Scrooge
    • Only accept coins in Scrooge’s public ledger

    View Slide

  88. Scroogecoin
    • Scrooge builds block chain to digitally sign
    • Each block has a transaction in it
    • ID
    • contents
    • hash point to previous block
    • Scrooge signs final hash pointer
    • Scrooge publishes signature and block chain

    View Slide

  89. Scroogecoin Transactions
    • CreateCoins
    • PayCoins

    View Slide

  90. CreateCoins
    number value recipient
    1 3.2 Scrooge
    2 1.4 Goofy
    3 7.1 Alice
    CreateCoins
    transID: 1

    View Slide

  91. PayCoins
    number value recipient
    1 1 Bob
    2 6.1 Alice
    PayCoins
    coins: 1(3)
    transID: 2
    Which coins are
    being consumed?

    View Slide

  92. number value recipient
    1 1 Bob
    2 6.1 Alice
    PayCoins
    coins: 1(3)
    transID: 2
    number value recipient
    1 3.2 Scrooge
    2 1.4 Goofy
    3 7.1 Alice
    transID: 1
    CreateCoins
    1(3)

    View Slide

  93. Scrooge signs off on everything
    prev: H()

    e3b0c4
    transID: 1
    prev: H()

    f4c1d5
    transID: 2
    H()

    05d2e6
    Scrooge
    number value recipient
    1 3.2 Scrooge
    2 1.4 Goofy
    3 7.1 Alice
    number value recipient
    1 1 Bob
    2 6.1 Alice
    PayCoins
    coins: 1(3)
    CreateCoins

    View Slide

  94. Now, when Alice tries
    to double-spend …

    View Slide

  95. Alice tries to re-spend coin from
    Block 1 after Scrooge signs Block 2
    prev: H()

    e3b0c4
    transID: 1
    prev: H()

    f4c1d5
    transID: 2
    H()

    05d2e6
    Scrooge
    number value recipient
    1 3.2 Scrooge
    2 1.4 Goofy
    3 7.1 Alice
    number value recipient
    1 1 Bob
    2 6.1 Alice
    PayCoins
    coins: 1(3)
    CreateCoins
    prev: H()

    f4c1d5
    transID: 2
    number value recipient
    1 1 Chuck
    2 6.1 Alice
    PayCoins
    coins: 1(3)

    View Slide

  96. Scrooge catches her

    View Slide

  97. Scrooge rejects Alice’s
    double-spend transaction
    prev: H()

    e3b0c4
    transID: 1
    prev: H()

    f4c1d5
    transID: 2
    H()

    05d2e6
    Scrooge
    number value recipient
    1 3.2 Scrooge
    2 1.4 Goofy
    3 7.1 Alice
    number value recipient
    1 1 Bob
    2 6.1 Alice
    PayCoins
    coins: 1(3)
    CreateCoins
    prev: H()

    f4c1d5
    transID: 2
    number value recipient
    1 1 Chuck
    2 6.1 Alice
    PayCoins
    coins: 1(3)

    View Slide

  98. So, we’ve got a
    cryptocurrency …

    View Slide

  99. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  100. but Scrooge …
    • maintains the ledger of transactions
    • has authority over which transactions are valid
    • creates new coins

    View Slide

  101. How do we get rid of
    Scrooge?

    View Slide

  102. Without Scrooge …
    • Who maintains the ledger of transactions?
    • Who has authority over which transactions are
    valid?
    • Who creates new coins?

    View Slide

  103. Coin miners!

    View Slide

  104. Coin miners
    • maintain the ledger of transactions
    • have authority over which transactions are valid
    • create new coins

    View Slide

  105. Who are coin miners?

    View Slide

  106. Let’s look at Bitcoin
    specifically

    View Slide

  107. Bitcoin is a
    peer-to-peer network

    View Slide

  108. You can participate!

    View Slide

  109. View Slide

  110. It will take up
    all your disk space

    View Slide

  111. To pay Bob, Alice
    broadcasts a transaction
    to all Bitcoin nodes

    View Slide

  112. Alice
    Bitcoin
    Node
    Bitcoin
    Node
    Bitcoin
    Node
    Bitcoin
    Node
    Bitcoin
    Node

    View Slide

  113. Bitcoin nodes (maybe)
    include Alice’s transaction
    in the next block

    View Slide

  114. A block is just a large
    grouping of transactions

    View Slide

  115. Bitcoin nodes are governed by a
    Distributed Consensus Protocol

    View Slide

  116. Skipping: Distributed
    Consensus Protocol
    tl;dr: it needs a majority of nodes to behave honestly, and
    to pick a random node from the network for each block

    View Slide

  117. How do you make a
    majority of nodes behave
    honestly?

    View Slide

  118. NOT crypto …
    incentives!

    View Slide

  119. “… Bitcoin works better in
    practice than in theory.”

    View Slide

  120. “… Bitcoin works better in
    practice than in theory.”
    • Consensus over time
    • Incentives

    View Slide

  121. Can we give nodes an
    incentive to behave honestly
    over the long term?

    View Slide

  122. No real identities, so we
    can’t exactly mail them
    cash

    View Slide

  123. If only there were a digital currency
    we could give them without having
    to know their real identities …

    View Slide

  124. Block reward:
    CreateCoins transaction

    View Slide

  125. Alice mines a block, and gets to
    create new coins to herself
    number value recipient
    CreateCoins
    0 25 Alice (dc3c6e)
    PayCoins from 1(1)
    1 1.1 Bob (e5ceb5)
    2 6.1 Alice (dc3c6e)
    transID: 2

    View Slide

  126. Financial incentive to be honest: miners
    only include valid transactions, because
    they want their own CreateCoins
    transaction included in the long-term
    consensus block-chain

    View Slide

  127. A distributed consensus
    protocol
    1. New transactions are broadcast to all nodes
    2. Each node collects new transactions into a block
    3. In each round, a random node adds its block to
    the end of the block-chain
    4. Other nodes accept the block only if all
    transactions in it are valid - i.e., unspent coins
    with valid signatures

    View Slide

  128. In each round, how do
    you pick a random node?

    View Slide

  129. Proof of Work

    View Slide

  130. Proof of work
    • Approximate random selection in proportion to a
    scarce resource
    • In Bitcoin, it’s computing power
    • Nodes compete with each other on computing
    power

    View Slide

  131. Hash puzzles

    View Slide

  132. puzzle friendliness
    Given hash output and part of input (i.e., the
    nonce), it’s “hard” (but not infeasible) to find the
    input

    View Slide

  133. message
    hash dc66ec
    puzzle-friendly: given the hash and
    nonce, hard to find a message
    lots of work
    nonce 123456
    message
    lots of work

    View Slide

  134. Hash puzzles in
    bitcoin mining
    • To create a block, a node is required to find a
    nonce such that when you combine …
    • nonce
    • previous block’s hash
    • list of transactions
    • … the hash output should be a string that falls
    into a certain range

    View Slide

  135. H(nonce || prev_hash || tx || tx || … || tx) < target

    View Slide

  136. In Bitcoin the target is a
    string that starts with
    some number of 0’s

    View Slide

  137. sha256 is “puzzle-friendly”, so
    the only way to solve this puzzle
    is to just try random nonces

    View Slide

  138. In Bitcoin the target is a string that
    starts with some number of 0’s

    View Slide

  139. blockchain.com

    View Slide

  140. View Slide

  141. Yay! We made it to
    Bitcoin!

    View Slide

  142. Public Key Cryptography
    Digital Signatures
    Hash Pointers
    Blockchain
    Cryptocurrency
    Bitcoin
    Cryptographic Hash Functions

    View Slide

  143. So, to mine cryptocurrency
    you need:
    • Lots of efficient processing to complete the proof-of-work
    hashing

    • Lots of efficient networking to communicate with the
    distributed peer-to-peer nodes

    View Slide

  144. Efficient processing
    Are CPUs good enough?

    View Slide

  145. https://www.slideshare.net/AmazonWebServices/aws-reinvent-2016-deep-learning-3d-content-rendering-and-massively-parallel-compute-intensive-workloads-in-the-cloud-cmp317

    View Slide

  146. CPU mining Bitcoin
    ~20M h/s = several hundred thousand years to get a block
    https://99bitcoins.com/20-insane-bitcoin-mining-rigs/

    View Slide

  147. GPU mining Bitcoin
    ~200M h/s = hundreds of years
    http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

    View Slide

  148. ASIC mining Bitcoin
    2,100,000M h/s and 0.43 watts/Gigahashes
    http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

    View Slide

  149. ASIC mining Bitcoin
    2,100,000M h/s and 0.43 watts/Gigahashes
    https://99bitcoins.com/7-awesome-asic-bitcoin-miners/

    View Slide

  150. ASIC mining Bitcoin
    2,100,000M h/s and 0.43 watts/Gigahashes
    https://seekingalpha.com/article/4140062-bitcoin-transaction-fee-issue-going-get-worse

    View Slide

  151. So how could a victim’s
    computer ever mine
    cryptocurrency?

    View Slide

  152. You would need to “infect”
    105K CPUs or 10.5K GPUs to
    compete with a single ASIC

    View Slide

  153. ASIC-resistant puzzle
    hashing algorithms
    Since ASICs include very little memory, use a
    memory-intensive hashing algorithm

    View Slide

  154. scrypt
    http://www.pointsoftware.ch/en/the-importance-of-hashing-passwords-part-4-the-hardware-threat/

    View Slide

  155. scrypt & Litecoin
    • scrypt hashing function

    • Fill a large buffer of RAM

    • Mutate the memory in pseudo-random order

    • O(N2) function

    • Choose N large enough to make memory faster

    • Litecoin

    • ASICs already out for Litecoin param of N=128KB

    • 504M h/s at 1.58 w/MH

    • (Remember Bitcoin was 2,100,000M h/s and 0.43 watts/Gigahashes)
    https://www.hashespersecond.com/asic/

    View Slide

  156. CryptoNight
    https://4.bp.blogspot.com/-NJddW0tx9j0/U_6C2wgXSAI/AAAAAAAAkDk/nyKkOESWgwI/s1600/cryptonight.png

    View Slide

  157. Memory-hard hashes
    • CryptoNight hashing function

    • Monero

    • 2MB memory buffer

    • Uses AES-NI found on most modern x86_64 CPUs

    • ASICs: 0.2M h/s @ 2.27 w/KH

    • Litecoin ASIC: 504M h/s @ 1.58 w/MH

    • Bitcoin ASIC: 2,100,000M h/s and 0.043 w/MH

    • Also, Monero adjusted PoW algo. so these devices don’t work for
    Monero anymore
    https://www.hashespersecond.com/asic/

    View Slide

  158. So, a victim’s computer
    could feasibly mine
    Monero

    View Slide

  159. Oh yeah, Javascript

    View Slide

  160. With Web APIs you get:
    • Efficient processing to complete the proof-of-work
    hashing

    • Web Workers & WebAssembly

    • Efficient networking to communicate with the distributed
    peer-to-peer nodes

    • Web Sockets

    View Slide

  161. Cryptojacking!

    View Slide

  162. coinhive.min.js

    View Slide

  163. CoinHive Malware Analysis
    • Creates WebWorker with number of threads ==
    number of CPU cores available (up to 8 max)
    • Loads WebAssembly program into worker for
    mining (default throttle to 100% CPU usage!)
    • Creates WebSocket connection between server
    and browser
    • Server notifies browser if new blocks are found
    and sends new transactions to browser

    View Slide

  164. • threads - number of WebWorkers to use; defaults to using
    as many cores as possible

    • throttle - fraction of time threads should be idle; defaults
    to “0”
    https://webcache.googleusercontent.com/search?q=cache:https://coinhive.com/documentation/miner

    View Slide

  165. Check if already loaded;
    if not, download;
    _startNow() when ready

    View Slide

  166. Don’t run in multiple tabs
    (how nice of them!)

    View Slide

  167. we’re not maxing out the cores?!
    spawn more worker jobs!
    Note: this._threads for later

    View Slide

  168. Finally! new Worker()

    View Slide

  169. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

    View Slide

  170. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

    View Slide

  171. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

    View Slide

  172. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

    View Slide

  173. Finally! new Worker()

    View Slide

  174. lots of js, including WebAssembly, as an object URL
    Note: WEBSOCKET_SHARDS for later …

    View Slide

  175. View Slide

  176. View Slide

  177. back in startNow, _connect
    to servers for block updates

    View Slide

  178. new WebSocket to a random
    server from WEBSOCKET_SHARDS
    Note: remember WEBSOCKET_SHARDS from before?

    View Slide

  179. new WebSocket()

    View Slide

  180. Traditional HTTP “polling” adds
    repeated request + response overhead
    https://www.pubnub.com/blog/2014-10-01-websockets-and-long-polling-in-javascript-ruby-and-python/

    View Slide

  181. WebSocket
    allows bidirectional
    messaging

    View Slide

  182. 1K messages over time
    WebSocket vs. REST (HTTP)
    http://blog.arungupta.me/rest-vs-websocket-comparison-benchmarks/

    View Slide

  183. new WebSocket to a random
    server from WEBSOCKET_SHARDS

    View Slide

  184. Note: remember this._threads from before?

    View Slide

  185. View Slide

  186. How to get this into
    browsers?

    View Slide

  187. Ask websites to include it

    View Slide

  188. Mozilla research
    • Crawl Alexa Top 10k looking for tags to one of the<br/>212 crypto-jacking hosts in adblock-nocoin-list <br/><br/>• Of 6M <script> calls, 945 (0.015%) use crypto-jacking<br/>script<br/><br/>• number of crypto-jacking hosts used: 11 (5.2% of known<br/>hosts)<br/><br/>• number of CoinHive scripts: 507 (54%)<br/><br/>• Majority of domains detected with crypto-jacking were<br/>streaming sites<br/>https://github.com/mozilla/UCOSP-winter-2018_TrackingTechnologies/blob/master/analyses/cryptojacking/cryptojacking_analysis.ipynb<br/>

    View Slide

  189. Note: coinhive.com is
    now gone; only
    authedmine.com remains

    View Slide

  190. malvertising

    View Slide

  191. Malvertising research

    View Slide

  192. Man-in-the-middle injection
    bettercap.org

    View Slide

  193. mitm
    crypto-miner.js caplet from bettercap

    View Slide

  194. What to do about it?

    View Slide

  195. First: Add known

    crypto-miners to our
    block-list

    View Slide

  196. View Slide

  197. Done
    • Go to about:config
    • Search for urlclassifier.trackingTable
    • add tracking-protection-base-cryptomining
    and tracking-protection-content-cryptomining

    View Slide

  198. As of Tuesday, it’s
    even easier!

    View Slide

  199. View Slide

  200. View Slide

  201. Use Machine-Learning
    and other heuristics to
    detect crypto-mining JS

    View Slide

  202. “Towards Seamless Tracking-Free Web:
    Improved Detection of Trackers via One-
    class learning”
    • Summary:

    Training a classifier to detect JS tracking code

    • Conducted by:

    • Data Source:

    Web crawl of Alexa top 50

    45 random sites from Alexa 5,000-45,000

    • Machine Learning Algorithms/Methods:

    Support Vector Machine, Positive & Unlabeled

    • Data features:

    JavaScript semantic & syntactic tokens and
    n-grams

    • Results

    • 99% true positives for one-class Support
    Vector Machine
    https://www.degruyter.com/downloadpdf/j/popets.2017.2017.issue-1/popets-2017-0006/popets-2017-0006.pdf

    View Slide

  203. Questions?
    • Crypto -> Blockchain

    • Bitcoin

    • Web Workers, Web Assembly

    • Web Sockets

    • Preventing
    • Luke Crouch

    • @groovecoder

    • speakerdeck.com/groovecoder

    • github.com/groovecoder

    View Slide