Just enough bitcoing to go cryptojacking with JavaScript

Just enough bitcoin to go
cryptojacking with Javascript

View Slide

About me
Privacy & Security Engineer
Vice President

View Slide

View Slide

Just enough bitcoin to go
cryptojacking with Javascript

View Slide

2 parts to this talk
• Cryptocurrency

• Crypto-jacking attacks with web APIs

View Slide

Bitcoin and
Cryptocurrency
Technologies
A Comprehensive
Introduction

View Slide

Khan Acadmy: Journey into
cryptography: modern cryptography
https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

View Slide

This talk will actually
cover cryptography

View Slide

⚠
Spoiler Alert:
There’s no “encryption”
in cryptocurrencies

View Slide

 
This talk will not
cover the crypto math

View Slide

 
(maybe just a little)

View Slide

The “crypto” in
cryptocurrency
• Cryptographic hash functions

• Hash Pointers

• Blockchain

• Public Key Cryptography

• Digital Signatures

View Slide

Public Key Cryptography
Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin
Cryptographic Hash Functions

View Slide

H(message)
hash
message We the People of the
United States
…
until an election of
Representatives shall
have intervened.
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

View Slide

“hash” function
• Maps data of arbitrary size into data of a ﬁxed size

• e.g., justTheFirstLetter(string)

• justTheFirstLetter(“hash”) // returns h
• justTheFirstLetter(“function”) // returns f
• justTheFirstLetter(“returns”) // returns r
• justTheFirstLetter(“fixed-size”) // returns f

View Slide

cryptographic hash function
• resists “collisions”
• hides original (plaintext) message

View Slide

“hash” function
• e.g., justTheFirstLetter(string)

• justTheFirstLetter(“hash”) // returns h
• justTheFirstLetter(“function”) // returns f
• justTheFirstLetter(“returns”) // returns r
• justTheFirstLetter(“fixed-size”) // returns f

View Slide

H(message)
hash collision!
message “The bearer of this
note may redeem it
for one dollar by
presenting it to me”
51a6b3
We the People of the
United States
…
have intervened.
resist collisions: 2 different messages
shouldn’t produce the same hash

View Slide

hiding: “1-way” function

View Slide

51a6b3
hiding: given the hash,
not feasible to ﬁnd the message
?
?

View Slide

H(message)
easy-to-ﬁnd hashes
message
tails
3e5368
heads
hiding: what if there are only
2 possible messages?
22814c

View Slide

tails
3e5368
heads
hiding: what if there are only
2 possible messages?
22814c
3e5368
?
heads

View Slide

H(message || nonce)
hash
message tails
dc66ec
heads
hiding: add random value:
“nonce” or “salt”
0f2c72
nonce a a

View Slide

H()
hash
message tails
dc66ec
heads
“nonce”
0f2c72
nonce
tails
3e5368
heads
22814c
a a

View Slide

tails
dc66ec
heads
“nonce”
0f2c72
tails
3e5368
heads
22814c
a a
tails
8d23aa
heads
15db7d
b b

View Slide

?
message
hash dc66ec
hiding: given the hash, not feasible
to ﬁnd the message or nonce
?
?
nonce ?

View Slide

cryptographic hash function 
for cryptocurrency
• resists “collisions”
• hides original (plaintext) message
• for cryptocurrency: “puzzle friendly”

View Slide

puzzle friendliness
Given hash output and part of input (i.e., the
nonce), it’s “hard” (but not infeasible) to ﬁnd the
input

View Slide

hiding vs. puzzle-friendly
https://stackoverﬂow.com/questions/42042840/properties-of-a-cryptographic-hash-function

View Slide

“hard”/“difﬁcult” 
vs. 
“infeasible”

View Slide

message
hash dc66ec
puzzle-friendly: given the hash and
nonce, hard to ﬁnd a message
lots of work
nonce 123456
message
lots of work

View Slide

openssl to hash messages
echo “The bearer of this note may
redeem it for one dollar by presenting
it to me” | openssl sha256
51a6b38fd78e5e20246bd0103668056a2a8981274e9487ea3f18158e59b690e7
echo “We the People of the United
States … until an election of
Representatives shall have
intervened.” | openssl sha256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

View Slide

sha256:
Secure Hash Algorithm
(with 256-bit digests)

View Slide

Note: sha256
is what bitcoin uses!

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

H( ) = e3b0c4
We the People of the
United States
…
have intervened.
hash pointer:
where full plaintext data is stored, AND a
cryptographic hash of the data

View Slide

hash pointers
enable everyone else to
verify the truth of the data

View Slide

so, hashes might give us
conﬁdentiality - i.e., to
keep something secret

View Slide

but these hash pointers
give us integrity …
… NOT conﬁdentiality

View Slide

Remember: there’s not necessarily
“encryption” (i.e., conﬁdentiality) 
in cryptocurrency

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

prev: H() 
e3b0c4
block chain:
linked list of hash pointers
prev: H() 
f4c1d5
data data
prev: H() 
05d2e6
data

View Slide

Now we can have a tamper-proof
ledger (of digital dollars)!
prev: H() 
e3b0c4
prev: H() 
f4c1d5
“The bearer of this
note may redeem it
for one dollar by
prev: H() 
05d2e6
note may redeem it
for one dollar by
note may redeem it
for one dollar by

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

Public Key
Cryptography
It gives us public & private keys!

View Slide

Khan Acadmy: Journey into
cryptography: modern cryptography
https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

View Slide

The quick version …

View Slide

… nevermind, the quick
version was still too long.

View Slide

1-way mathematical function:
modular exponentiation

View Slide

Symmetric Encryption requires extra
communication overhead in Difﬁe-Hellman
Key Exchange

View Slide

Alice has to exchange extra messages
to establish a unique key with everyone

View Slide

Alice has to manage tons of
keys

View Slide

Instead, Alice needs a 
public “lock” she can copy and share with
anyone, and a single private “key” …

View Slide

… to do this, you need a
“trap door 1-way function”

View Slide

… a “trap door 1-way function” is a 1-way
function that is infeasible to reverse …

View Slide

… a “trap door 1-way function” is a 1-way
function that is infeasible to reverse … unless
you have a secret piece of information

View Slide

mathematical trapdoor 1-way function:
modular exponentiation and phi

View Slide

math math math
• Phi function of large numbers is infeasible to
calculate, *except* for prime numbers
• Multiplying large prime numbers is infeasible to
reverse
• The “Prime Factorization” problem
• Euler’s Theorem shows that mphi(n) ≅1 mod n.

View Slide

math and keys!

View Slide

Most important to us:
math says the public key can be public  
while the secret key stays secret

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

digital signatures:
required properties
• Only you can sign your
signature, but anyone can
verify that it’s valid 
 
 
• The signature is attached to a
single document - it can’t be
used to indicate you agree to
a different document

View Slide

signature = sign(secret key, message)
note may redeem it
for one dollar by
-with love,
from Luke

View Slide

valid = verify(public key, message, signature)
note may redeem it
for one dollar by
-with love,
from Luke

View Slide

where do
secret & public keys
come from?

View Slide

from decades of
“math math math”
written into libraries

View Slide

openssl to create
secret & public keys
openssl ecparam -genkey -name
secp256k1 -rand /dev/urandom -out \
/Users/lcrouch/secret_key
openssl ec -in /Users/lcrouch/
secret_key -pubout -out \
/Users/lcrouch/public_key

View Slide

openssl to
sign & verify
openssl dgst -sign secret_key message
-out luke_dollar.signed
openssl dgst -verify public_key  
-signature luke_dollar.signed
valid

View Slide

digital signatures
enable everyone else to verify
the authenticity of the data

View Slide

authenticity
the person writing the
data

View Slide

The “crypto” in
cryptocurrency gives us …
• Integrity, from
• Blockchain, from
• Hash pointers, from
• Hash functions
• Authenticity, 
Non-repudiation, from
• Digital Signatures, from
• Public Key Cryptography
… not encryption for
conﬁdentiality

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

Now we have enough
cryptographic primitives to build
a (really bad) cryptocurrency

View Slide

“Goofycoin”
cryptocurrency

View Slide

Goofycoin
1. Designated entity - Goofy - can create new
coins anytime and coins belong to Goofy
2. Whoever owns a coin can transfer it to
someone else

View Slide

Goofy creates coins
• Generates unique coin ID: 001
• Makes message: “CreateCoin 001”
• Hashes and signs message as H(1) with secret key

View Slide

Goofy transfers coin to Alice
• New message: 
“Starting at H(1), PayCoin 001 to Alice”
• Note: Alice = Alice’s public key / address

View Slide

Alice transfers coin to Bob
• New message: 
“Starting at H(2), PayCoin 001 to Bob”
• Note: Bob = Bob’s public key / address

View Slide

Now we can have a tamper-proof
ledger of transactions!
CreateCoin
001
Goofy
PayCoin:
001
Alice
Goofy
H( )
Alice
H( )
PayCoin:
001
Bob

View Slide

Goofycoin
1. Designated entity - Goofy - can create new
coins anytime and coins belong to Goofy
2. Whoever owns a coin can transfer it to
someone else
3. Anyone can verify coin ownership by following
block-chain back to Goofy

View Slide

Security problem:
Double-spend

View Slide

Alice can pay the
same coin to Chuck
CreateCoin
[12345]
Goofy
PayCoin:
[12345]
Alice
Goofy
H( )
Alice
H( )
PayCoin:
[12345]
Bob
Alice
H( )
PayCoin:
[12345]
Chuck

View Slide

How do we decide which
ledger is the truth?

View Slide

“Scroogecoin”
cryptocurrency

View Slide

Scroogecoin
• Goofycoin +
• Designated entity - Scrooge - publishes the
canonical public ledger of all transactions
• Everyone broadcasts coin transactions to
Scrooge
• Only accept coins in Scrooge’s public ledger

View Slide

Scroogecoin
• Scrooge builds block chain to digitally sign
• Each block has a transaction in it
• ID
• contents
• hash point to previous block
• Scrooge signs ﬁnal hash pointer
• Scrooge publishes signature and block chain

View Slide

Scroogecoin Transactions
• CreateCoins
• PayCoins

View Slide

CreateCoins
number value recipient
1 3.2 Scrooge
2 1.4 Goofy
3 7.1 Alice
CreateCoins
transID: 1

View Slide

PayCoins
1 1 Bob
2 6.1 Alice
PayCoins
coins: 1(3)
transID: 2
Which coins are
being consumed?

View Slide

1 1 Bob
2 6.1 Alice
PayCoins
coins: 1(3)
transID: 2
1 3.2 Scrooge
2 1.4 Goofy
3 7.1 Alice
transID: 1
CreateCoins
1(3)

View Slide

Scrooge signs off on everything
prev: H() 
e3b0c4
transID: 1
prev: H() 
f4c1d5
transID: 2
H() 
05d2e6
Scrooge
1 3.2 Scrooge
2 1.4 Goofy
3 7.1 Alice
1 1 Bob
2 6.1 Alice
PayCoins
coins: 1(3)
CreateCoins

View Slide

Now, when Alice tries
to double-spend …

View Slide

Alice tries to re-spend coin from
Block 1 after Scrooge signs Block 2
prev: H() 
e3b0c4
transID: 1
prev: H() 
f4c1d5
transID: 2
H() 
05d2e6
Scrooge
1 3.2 Scrooge
2 1.4 Goofy
3 7.1 Alice
1 1 Bob
2 6.1 Alice
PayCoins
coins: 1(3)
CreateCoins
prev: H() 
f4c1d5
transID: 2
1 1 Chuck
2 6.1 Alice
PayCoins
coins: 1(3)

View Slide

Scrooge catches her

View Slide

Scrooge rejects Alice’s
double-spend transaction
prev: H() 
e3b0c4
transID: 1
prev: H() 
f4c1d5
transID: 2
H() 
05d2e6
Scrooge
1 3.2 Scrooge
2 1.4 Goofy
3 7.1 Alice
1 1 Bob
2 6.1 Alice
PayCoins
coins: 1(3)
CreateCoins
prev: H() 
f4c1d5
transID: 2
1 1 Chuck
2 6.1 Alice
PayCoins
coins: 1(3)

View Slide

So, we’ve got a
cryptocurrency …

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

but Scrooge …
• maintains the ledger of transactions
• has authority over which transactions are valid
• creates new coins

View Slide

How do we get rid of
Scrooge?

View Slide

Without Scrooge …
• Who maintains the ledger of transactions?
• Who has authority over which transactions are
valid?
• Who creates new coins?

View Slide

Coin miners!

View Slide

Coin miners
• maintain the ledger of transactions
• have authority over which transactions are valid
• create new coins

View Slide

Who are coin miners?

View Slide

Let’s look at Bitcoin
speciﬁcally

View Slide

Bitcoin is a
peer-to-peer network

View Slide

You can participate!

View Slide

View Slide

It will take up
all your disk space

View Slide

To pay Bob, Alice
broadcasts a transaction
to all Bitcoin nodes

View Slide

Alice
Bitcoin
Node
Bitcoin
Node
Bitcoin
Node
Bitcoin
Node
Bitcoin
Node

View Slide

Bitcoin nodes (maybe)
include Alice’s transaction
in the next block

View Slide

A block is just a large
grouping of transactions

View Slide

Bitcoin nodes are governed by a
Distributed Consensus Protocol

View Slide

Skipping: Distributed
Consensus Protocol
tl;dr: it needs a majority of nodes to behave honestly, and
to pick a random node from the network for each block

View Slide

How do you make a
majority of nodes behave
honestly?

View Slide

NOT crypto …
incentives!

View Slide

“… Bitcoin works better in
practice than in theory.”

View Slide

“… Bitcoin works better in
practice than in theory.”
• Consensus over time
• Incentives

View Slide

Can we give nodes an
incentive to behave honestly
over the long term?

View Slide

No real identities, so we
can’t exactly mail them
cash

View Slide

If only there were a digital currency
we could give them without having
to know their real identities …

View Slide

Block reward:
CreateCoins transaction

View Slide

Alice mines a block, and gets to
create new coins to herself
CreateCoins
0 25 Alice (dc3c6e)
PayCoins from 1(1)
1 1.1 Bob (e5ceb5)
2 6.1 Alice (dc3c6e)
transID: 2

View Slide

Financial incentive to be honest: miners
only include valid transactions, because
they want their own CreateCoins
transaction included in the long-term
consensus block-chain

View Slide

A distributed consensus
protocol
1. New transactions are broadcast to all nodes
2. Each node collects new transactions into a block
3. In each round, a random node adds its block to
the end of the block-chain
4. Other nodes accept the block only if all
transactions in it are valid - i.e., unspent coins
with valid signatures

View Slide

In each round, how do
you pick a random node?

View Slide

Proof of Work

View Slide

Proof of work
• Approximate random selection in proportion to a
scarce resource
• In Bitcoin, it’s computing power
• Nodes compete with each other on computing
power

View Slide

Hash puzzles

View Slide

puzzle friendliness
Given hash output and part of input (i.e., the
nonce), it’s “hard” (but not infeasible) to ﬁnd the
input

View Slide

message
hash dc66ec
puzzle-friendly: given the hash and
nonce, hard to ﬁnd a message
lots of work
nonce 123456
message
lots of work

View Slide

Hash puzzles in
bitcoin mining
• To create a block, a node is required to ﬁnd a
nonce such that when you combine …
• nonce
• previous block’s hash
• list of transactions
• … the hash output should be a string that falls
into a certain range

View Slide

H(nonce || prev_hash || tx || tx || … || tx) < target

View Slide

In Bitcoin the target is a
string that starts with
some number of 0’s

View Slide

sha256 is “puzzle-friendly”, so
the only way to solve this puzzle
is to just try random nonces

View Slide

In Bitcoin the target is a string that
starts with some number of 0’s

View Slide

blockchain.com

View Slide

View Slide

Yay! We made it to
Bitcoin!

View Slide

Digital Signatures
Hash Pointers
Blockchain
Cryptocurrency
Bitcoin

View Slide

So, to mine cryptocurrency
you need:
• Lots of eﬃcient processing to complete the proof-of-work
hashing

• Lots of eﬃcient networking to communicate with the
distributed peer-to-peer nodes

View Slide

Efﬁcient processing
Are CPUs good enough?

View Slide

https://www.slideshare.net/AmazonWebServices/aws-reinvent-2016-deep-learning-3d-content-rendering-and-massively-parallel-compute-intensive-workloads-in-the-cloud-cmp317

View Slide

CPU mining Bitcoin
~20M h/s = several hundred thousand years to get a block
https://99bitcoins.com/20-insane-bitcoin-mining-rigs/

View Slide

GPU mining Bitcoin
~200M h/s = hundreds of years
http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

View Slide

ASIC mining Bitcoin
2,100,000M h/s and 0.43 watts/Gigahashes
http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

View Slide

ASIC mining Bitcoin
https://99bitcoins.com/7-awesome-asic-bitcoin-miners/

View Slide

ASIC mining Bitcoin
https://seekingalpha.com/article/4140062-bitcoin-transaction-fee-issue-going-get-worse

View Slide

So how could a victim’s
computer ever mine
cryptocurrency?

View Slide

You would need to “infect”
105K CPUs or 10.5K GPUs to
compete with a single ASIC

View Slide

ASIC-resistant puzzle
hashing algorithms
Since ASICs include very little memory, use a
memory-intensive hashing algorithm

View Slide

scrypt
http://www.pointsoftware.ch/en/the-importance-of-hashing-passwords-part-4-the-hardware-threat/

View Slide

scrypt & Litecoin
• scrypt hashing function

• Fill a large buﬀer of RAM

• Mutate the memory in pseudo-random order

• O(N2) function

• Choose N large enough to make memory faster

• Litecoin

• ASICs already out for Litecoin param of N=128KB

• 504M h/s at 1.58 w/MH

• (Remember Bitcoin was 2,100,000M h/s and 0.43 watts/Gigahashes)
https://www.hashespersecond.com/asic/

View Slide

CryptoNight
https://4.bp.blogspot.com/-NJddW0tx9j0/U_6C2wgXSAI/AAAAAAAAkDk/nyKkOESWgwI/s1600/cryptonight.png

View Slide

Memory-hard hashes
• CryptoNight hashing function

• Monero

• 2MB memory buﬀer

• Uses AES-NI found on most modern x86_64 CPUs

• ASICs: 0.2M h/s @ 2.27 w/KH

• Litecoin ASIC: 504M h/s @ 1.58 w/MH

• Bitcoin ASIC: 2,100,000M h/s and 0.043 w/MH

• Also, Monero adjusted PoW algo. so these devices don’t work for
Monero anymore
https://www.hashespersecond.com/asic/

View Slide

So, a victim’s computer
could feasibly mine
Monero

View Slide

Oh yeah, Javascript

View Slide

With Web APIs you get:
• Eﬃcient processing to complete the proof-of-work
hashing

• Web Workers & WebAssembly

• Eﬃcient networking to communicate with the distributed
peer-to-peer nodes

• Web Sockets

View Slide

Cryptojacking!

View Slide

coinhive.min.js

View Slide

CoinHive Malware Analysis
• Creates WebWorker with number of threads ==
number of CPU cores available (up to 8 max)
• Loads WebAssembly program into worker for
mining (default throttle to 100% CPU usage!)
• Creates WebSocket connection between server
and browser
• Server notiﬁes browser if new blocks are found
and sends new transactions to browser

View Slide

• threads - number of WebWorkers to use; defaults to using
as many cores as possible

• throttle - fraction of time threads should be idle; defaults
to “0”
https://webcache.googleusercontent.com/search?q=cache:https://coinhive.com/documentation/miner

View Slide

Check if already loaded;
if not, download;
_startNow() when ready

View Slide

Don’t run in multiple tabs
(how nice of them!)

View Slide

we’re not maxing out the cores?!
spawn more worker jobs!
Note: this._threads for later

View Slide

Finally! new Worker()

View Slide

https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

View Slide

Finally! new Worker()

View Slide

lots of js, including WebAssembly, as an object URL
Note: WEBSOCKET_SHARDS for later …

View Slide

View Slide

back in startNow, _connect
to servers for block updates

View Slide

new WebSocket to a random
server from WEBSOCKET_SHARDS
Note: remember WEBSOCKET_SHARDS from before?

View Slide

new WebSocket()

View Slide

Traditional HTTP “polling” adds
repeated request + response overhead
https://www.pubnub.com/blog/2014-10-01-websockets-and-long-polling-in-javascript-ruby-and-python/

View Slide

WebSocket
allows bidirectional
messaging

View Slide

1K messages over time
WebSocket vs. REST (HTTP)
http://blog.arungupta.me/rest-vs-websocket-comparison-benchmarks/

View Slide

new WebSocket to a random
server from WEBSOCKET_SHARDS

View Slide

Note: remember this._threads from before?

View Slide

View Slide

How to get this into
browsers?

View Slide

Ask websites to include it

View Slide

Mozilla research
• Crawl Alexa Top 10k looking for tags to one of the 212 crypto-jacking hosts in adblock-nocoin-list • Of 6M <script> calls, 945 (0.015%) use crypto-jacking script • number of crypto-jacking hosts used: 11 (5.2% of known hosts) • number of CoinHive scripts: 507 (54%) • Majority of domains detected with crypto-jacking were streaming sites https://github.com/mozilla/UCOSP-winter-2018_TrackingTechnologies/blob/master/analyses/cryptojacking/cryptojacking_analysis.ipynb 

View Slide

Note: coinhive.com is
now gone; only
authedmine.com remains

View Slide

malvertising

View Slide

Malvertising research

View Slide

Man-in-the-middle injection
bettercap.org

View Slide

mitm
crypto-miner.js caplet from bettercap

View Slide

What to do about it?

View Slide

First: Add known 
crypto-miners to our
block-list

View Slide

View Slide

Done
• Go to about:conﬁg
• Search for urlclassifier.trackingTable
• add tracking-protection-base-cryptomining
and tracking-protection-content-cryptomining

View Slide

As of Tuesday, it’s
even easier!

View Slide

View Slide

Use Machine-Learning
and other heuristics to
detect crypto-mining JS

View Slide

“Towards Seamless Tracking-Free Web:
Improved Detection of Trackers via One-
class learning”
• Summary: 
Training a classiﬁer to detect JS tracking code

• Conducted by: 
• Data Source: 
Web crawl of Alexa top 50 
45 random sites from Alexa 5,000-45,000

• Machine Learning Algorithms/Methods: 
Support Vector Machine, Positive & Unlabeled

• Data features: 
JavaScript semantic & syntactic tokens and
n-grams

• Results

• 99% true positives for one-class Support
Vector Machine
https://www.degruyter.com/downloadpdf/j/popets.2017.2017.issue-1/popets-2017-0006/popets-2017-0006.pdf

View Slide

Questions?
• Crypto -> Blockchain

• Bitcoin

• Web Workers, Web Assembly

• Web Sockets

• Preventing
• Luke Crouch

• @groovecoder

• speakerdeck.com/groovecoder

• github.com/groovecoder

View Slide

Just enough bitcoing to go cryptojacking with JavaScript

Just enough bitcoing to go cryptojacking with JavaScript

luke crouch

More Decks by luke crouch

Other Decks in Technology

Featured

Transcript