Just enough bitcoing to go cryptojacking with JavaScript

Transcript

1. Just enough bitcoin to go cryptojacking with Javascript

2. About me Privacy & Security Engineer Vice President

3. None
4. None

5. Just enough bitcoin to go cryptojacking with Javascript

6. 2 parts to this talk • Cryptocurrency • Crypto-jacking attacks

   with web APIs

7. Bitcoin and Cryptocurrency Technologies A Comprehensive Introduction

8. Khan Acadmy: Journey into cryptography: modern cryptography https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

9. This talk will actually cover cryptography

10. ⚠ Spoiler Alert: There’s no “encryption” in cryptocurrencies

11. 
 This talk will not cover the crypto math

12. 
 (maybe just a little)

13. The “crypto” in cryptocurrency • Cryptographic hash functions • Hash

    Pointers • Blockchain • Public Key Cryptography • Digital Signatures

14. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

15. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

16. H(message) hash message We the People of the United States

    … until an election of Representatives shall have intervened. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

17. “hash” function • Maps data of arbitrary size into data

    of a fixed size • e.g., justTheFirstLetter(string) • justTheFirstLetter(“hash”) // returns h • justTheFirstLetter(“function”) // returns f • justTheFirstLetter(“returns”) // returns r • justTheFirstLetter(“fixed-size”) // returns f

18. cryptographic hash function • resists “collisions” • hides original (plaintext)

    message

19. “hash” function • e.g., justTheFirstLetter(string) • justTheFirstLetter(“hash”) // returns h

    • justTheFirstLetter(“function”) // returns f • justTheFirstLetter(“returns”) // returns r • justTheFirstLetter(“fixed-size”) // returns f

20. H(message) hash collision! message “The bearer of this note may

    redeem it for one dollar by presenting it to me” 51a6b3 We the People of the United States … until an election of Representatives shall have intervened. resist collisions: 2 different messages shouldn’t produce the same hash

21. hiding: “1-way” function

22. 51a6b3 hiding: given the hash, not feasible to find the

    message ? ?

23. H(message) easy-to-find hashes message tails 3e5368 heads hiding: what if

    there are only 2 possible messages? 22814c

24. tails 3e5368 heads hiding: what if there are only 2

    possible messages? 22814c 3e5368 ? heads

25. H(message || nonce) hash message tails dc66ec heads hiding: add

    random value: “nonce” or “salt” 0f2c72 nonce a a

26. H() hash message tails dc66ec heads hiding: add random value:

    “nonce” 0f2c72 nonce tails 3e5368 heads 22814c a a

27. tails dc66ec heads hiding: add random value: “nonce” 0f2c72 tails

    3e5368 heads 22814c a a tails 8d23aa heads 15db7d b b

28. ? message hash dc66ec hiding: given the hash, not feasible

    to find the message or nonce ? ? nonce ?

29. cryptographic hash function
 for cryptocurrency • resists “collisions” • hides

    original (plaintext) message • for cryptocurrency: “puzzle friendly”

30. puzzle friendliness Given hash output and part of input (i.e.,

    the nonce), it’s “hard” (but not infeasible) to find the input

31. hiding vs. puzzle-friendly https://stackoverflow.com/questions/42042840/properties-of-a-cryptographic-hash-function

32. “hard”/“difficult”
 vs.
 “infeasible”

33. message hash dc66ec puzzle-friendly: given the hash and nonce, hard

    to find a message lots of work nonce 123456 message lots of work

34. openssl to hash messages echo “The bearer of this note

    may redeem it for one dollar by presenting it to me” | openssl sha256 51a6b38fd78e5e20246bd0103668056a2a8981274e9487ea3f18158e59b690e7 echo “We the People of the United States … until an election of Representatives shall have intervened.” | openssl sha256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

35. sha256: Secure Hash Algorithm (with 256-bit digests)

36. Note: sha256 is what bitcoin uses!

37. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

38. H( ) = e3b0c4 We the People of the United

    States … until an election of Representatives shall have intervened. hash pointer: where full plaintext data is stored, AND a cryptographic hash of the data

39. hash pointers enable everyone else to verify the truth of

    the data

40. so, hashes might give us confidentiality - i.e., to keep

    something secret

41. but these hash pointers give us integrity … … NOT

    confidentiality

42. Remember: there’s not necessarily “encryption” (i.e., confidentiality)
 in cryptocurrency

43. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

44. prev: H()
 e3b0c4 block chain: linked list of hash pointers

    prev: H()
 f4c1d5 data data prev: H()
 05d2e6 data

45. Now we can have a tamper-proof ledger (of digital dollars)!

    prev: H()
 e3b0c4 prev: H()
 f4c1d5 “The bearer of this note may redeem it for one dollar by presenting it to me” prev: H()
 05d2e6 “The bearer of this note may redeem it for one dollar by presenting it to me” “The bearer of this note may redeem it for one dollar by presenting it to me”

46. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

47. Public Key Cryptography It gives us public & private keys!

48. Khan Acadmy: Journey into cryptography: modern cryptography https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

49. The quick version …

50. … nevermind, the quick version was still too long.

51. 1-way mathematical function: modular exponentiation

52. Symmetric Encryption requires extra communication overhead in Diffie-Hellman Key Exchange

53. Alice has to exchange extra messages to establish a unique

    key with everyone

54. Alice has to manage tons of keys

55. Instead, Alice needs a
 public “lock” she can copy and

    share with anyone, and a single private “key” …

56. … to do this, you need a “trap door 1-way

    function”

57. … a “trap door 1-way function” is a 1-way function

    that is infeasible to reverse …

58. … a “trap door 1-way function” is a 1-way function

    that is infeasible to reverse … unless you have a secret piece of information

59. mathematical trapdoor 1-way function: modular exponentiation and phi

60. math math math • Phi function of large numbers is

    infeasible to calculate, *except* for prime numbers • Multiplying large prime numbers is infeasible to reverse • The “Prime Factorization” problem • Euler’s Theorem shows that mphi(n) ≅1 mod n.

61. math and keys!

62. Most important to us: math says the public key can

    be public 
 while the secret key stays secret

63. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

64. digital signatures: required properties • Only you can sign your

    signature, but anyone can verify that it’s valid
 
 
 • The signature is attached to a single document - it can’t be used to indicate you agree to a different document

65. signature = sign(secret key, message) “The bearer of this note

    may redeem it for one dollar by presenting it to me” -with love, from Luke

66. valid = verify(public key, message, signature) “The bearer of this

    note may redeem it for one dollar by presenting it to me” -with love, from Luke

67. where do secret & public keys come from?

68. from decades of “math math math” written into libraries

69. openssl to create secret & public keys openssl ecparam -genkey

    -name secp256k1 -rand /dev/urandom -out \ /Users/lcrouch/secret_key openssl ec -in /Users/lcrouch/ secret_key -pubout -out \ /Users/lcrouch/public_key

70. openssl to sign & verify openssl dgst -sign secret_key message

    -out luke_dollar.signed openssl dgst -verify public_key 
 -signature luke_dollar.signed valid

71. digital signatures enable everyone else to verify the authenticity of

    the data

72. authenticity the person writing the data

73. The “crypto” in cryptocurrency gives us … • Integrity, from

    • Blockchain, from • Hash pointers, from • Hash functions • Authenticity,
 Non-repudiation, from • Digital Signatures, from • Public Key Cryptography … not encryption for confidentiality

74. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

75. Now we have enough cryptographic primitives to build a (really

    bad) cryptocurrency

76. “Goofycoin” cryptocurrency

77. Goofycoin 1. Designated entity - Goofy - can create new

    coins anytime and coins belong to Goofy 2. Whoever owns a coin can transfer it to someone else

78. Goofy creates coins • Generates unique coin ID: 001 •

    Makes message: “CreateCoin 001” • Hashes and signs message as H(1) with secret key

79. Goofy transfers coin to Alice • New message:
 “Starting at

    H(1), PayCoin 001 to Alice” • Note: Alice = Alice’s public key / address • Hashes and signs message as H(2) with secret key

80. Alice transfers coin to Bob • New message:
 “Starting at

    H(2), PayCoin 001 to Bob” • Note: Bob = Bob’s public key / address • Hashes and signs message as H(3) with secret key

81. Now we can have a tamper-proof ledger of transactions! CreateCoin

    001 Goofy PayCoin: 001 Alice Goofy H( ) Alice H( ) PayCoin: 001 Bob

82. Goofycoin 1. Designated entity - Goofy - can create new

    coins anytime and coins belong to Goofy 2. Whoever owns a coin can transfer it to someone else 3. Anyone can verify coin ownership by following block-chain back to Goofy

83. Security problem: Double-spend

84. Alice can pay the same coin to Chuck CreateCoin [12345]

    Goofy PayCoin: [12345] Alice Goofy H( ) Alice H( ) PayCoin: [12345] Bob Alice H( ) PayCoin: [12345] Chuck

85. How do we decide which ledger is the truth?

86. “Scroogecoin” cryptocurrency

87. Scroogecoin • Goofycoin + • Designated entity - Scrooge -

    publishes the canonical public ledger of all transactions • Everyone broadcasts coin transactions to Scrooge • Only accept coins in Scrooge’s public ledger

88. Scroogecoin • Scrooge builds block chain to digitally sign •

    Each block has a transaction in it • ID • contents • hash point to previous block • Scrooge signs final hash pointer • Scrooge publishes signature and block chain

89. Scroogecoin Transactions • CreateCoins • PayCoins

90. CreateCoins number value recipient 1 3.2 Scrooge 2 1.4 Goofy

    3 7.1 Alice CreateCoins transID: 1

91. PayCoins number value recipient 1 1 Bob 2 6.1 Alice

    PayCoins coins: 1(3) transID: 2 Which coins are being consumed?

92. number value recipient 1 1 Bob 2 6.1 Alice PayCoins

    coins: 1(3) transID: 2 number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice transID: 1 CreateCoins 1(3)

93. Scrooge signs off on everything prev: H()
 e3b0c4 transID: 1

    prev: H()
 f4c1d5 transID: 2 H()
 05d2e6 Scrooge number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice number value recipient 1 1 Bob 2 6.1 Alice PayCoins coins: 1(3) CreateCoins

94. Now, when Alice tries to double-spend …

95. Alice tries to re-spend coin from Block 1 after Scrooge

    signs Block 2 prev: H()
 e3b0c4 transID: 1 prev: H()
 f4c1d5 transID: 2 H()
 05d2e6 Scrooge number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice number value recipient 1 1 Bob 2 6.1 Alice PayCoins coins: 1(3) CreateCoins prev: H()
 f4c1d5 transID: 2 number value recipient 1 1 Chuck 2 6.1 Alice PayCoins coins: 1(3)

96. Scrooge catches her

97. Scrooge rejects Alice’s double-spend transaction prev: H()
 e3b0c4 transID: 1

    prev: H()
 f4c1d5 transID: 2 H()
 05d2e6 Scrooge number value recipient 1 3.2 Scrooge 2 1.4 Goofy 3 7.1 Alice number value recipient 1 1 Bob 2 6.1 Alice PayCoins coins: 1(3) CreateCoins prev: H()
 f4c1d5 transID: 2 number value recipient 1 1 Chuck 2 6.1 Alice PayCoins coins: 1(3)

98. So, we’ve got a cryptocurrency …

99. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

    Cryptographic Hash Functions

100. but Scrooge … • maintains the ledger of transactions •

     has authority over which transactions are valid • creates new coins

101. How do we get rid of Scrooge?

102. Without Scrooge … • Who maintains the ledger of transactions?

     • Who has authority over which transactions are valid? • Who creates new coins?

103. Coin miners!

104. Coin miners • maintain the ledger of transactions • have

     authority over which transactions are valid • create new coins

105. Who are coin miners?

106. Let’s look at Bitcoin specifically

107. Bitcoin is a peer-to-peer network

108. You can participate!

109. None

110. It will take up all your disk space

111. To pay Bob, Alice broadcasts a transaction to all Bitcoin

     nodes

112. Alice Bitcoin Node Bitcoin Node Bitcoin Node Bitcoin Node Bitcoin

     Node

113. Bitcoin nodes (maybe) include Alice’s transaction in the next block

114. A block is just a large grouping of transactions

115. Bitcoin nodes are governed by a Distributed Consensus Protocol

116. Skipping: Distributed Consensus Protocol tl;dr: it needs a majority of

     nodes to behave honestly, and to pick a random node from the network for each block

117. How do you make a majority of nodes behave honestly?

118. NOT crypto … incentives!

119. “… Bitcoin works better in practice than in theory.”

120. “… Bitcoin works better in practice than in theory.” •

     Consensus over time • Incentives

121. Can we give nodes an incentive to behave honestly over

     the long term?

122. No real identities, so we can’t exactly mail them cash

123. If only there were a digital currency we could give

     them without having to know their real identities …

124. Block reward: CreateCoins transaction

125. Alice mines a block, and gets to create new coins

     to herself number value recipient CreateCoins 0 25 Alice (dc3c6e) PayCoins from 1(1) 1 1.1 Bob (e5ceb5) 2 6.1 Alice (dc3c6e) transID: 2

126. Financial incentive to be honest: miners only include valid transactions,

     because they want their own CreateCoins transaction included in the long-term consensus block-chain

127. A distributed consensus protocol 1. New transactions are broadcast to

     all nodes 2. Each node collects new transactions into a block 3. In each round, a random node adds its block to the end of the block-chain 4. Other nodes accept the block only if all transactions in it are valid - i.e., unspent coins with valid signatures

128. In each round, how do you pick a random node?

129. Proof of Work

130. Proof of work • Approximate random selection in proportion to

     a scarce resource • In Bitcoin, it’s computing power • Nodes compete with each other on computing power

131. Hash puzzles

132. puzzle friendliness Given hash output and part of input (i.e.,

     the nonce), it’s “hard” (but not infeasible) to find the input

133. message hash dc66ec puzzle-friendly: given the hash and nonce, hard

     to find a message lots of work nonce 123456 message lots of work

134. Hash puzzles in bitcoin mining • To create a block,

     a node is required to find a nonce such that when you combine … • nonce • previous block’s hash • list of transactions • … the hash output should be a string that falls into a certain range

135. H(nonce || prev_hash || tx || tx || … ||

     tx) < target

136. In Bitcoin the target is a string that starts with

     some number of 0’s

137. sha256 is “puzzle-friendly”, so the only way to solve this

     puzzle is to just try random nonces

138. In Bitcoin the target is a string that starts with

     some number of 0’s

139. blockchain.com

140. None

141. Yay! We made it to Bitcoin!

142. Public Key Cryptography Digital Signatures Hash Pointers Blockchain Cryptocurrency Bitcoin

     Cryptographic Hash Functions

143. So, to mine cryptocurrency you need: • Lots of efficient

     processing to complete the proof-of-work hashing • Lots of efficient networking to communicate with the distributed peer-to-peer nodes

144. Efficient processing Are CPUs good enough?

145. https://www.slideshare.net/AmazonWebServices/aws-reinvent-2016-deep-learning-3d-content-rendering-and-massively-parallel-compute-intensive-workloads-in-the-cloud-cmp317

146. CPU mining Bitcoin ~20M h/s = several hundred thousand years

     to get a block https://99bitcoins.com/20-insane-bitcoin-mining-rigs/

147. GPU mining Bitcoin ~200M h/s = hundreds of years http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

148. ASIC mining Bitcoin 2,100,000M h/s and 0.43 watts/Gigahashes http://blog.whitesites.com/GPU-miners-vs-USB-ASIC-Miners-for-Bitcoin__635096680766259765_blog.htm

149. ASIC mining Bitcoin 2,100,000M h/s and 0.43 watts/Gigahashes https://99bitcoins.com/7-awesome-asic-bitcoin-miners/

150. ASIC mining Bitcoin 2,100,000M h/s and 0.43 watts/Gigahashes https://seekingalpha.com/article/4140062-bitcoin-transaction-fee-issue-going-get-worse

151. So how could a victim’s computer ever mine cryptocurrency?

152. You would need to “infect” 105K CPUs or 10.5K GPUs

     to compete with a single ASIC

153. ASIC-resistant puzzle hashing algorithms Since ASICs include very little memory,

     use a memory-intensive hashing algorithm

154. scrypt http://www.pointsoftware.ch/en/the-importance-of-hashing-passwords-part-4-the-hardware-threat/

155. scrypt & Litecoin • scrypt hashing function • Fill a

     large buffer of RAM • Mutate the memory in pseudo-random order • O(N2) function • Choose N large enough to make memory faster • Litecoin • ASICs already out for Litecoin param of N=128KB • 504M h/s at 1.58 w/MH • (Remember Bitcoin was 2,100,000M h/s and 0.43 watts/Gigahashes) https://www.hashespersecond.com/asic/

156. CryptoNight https://4.bp.blogspot.com/-NJddW0tx9j0/U_6C2wgXSAI/AAAAAAAAkDk/nyKkOESWgwI/s1600/cryptonight.png

157. Memory-hard hashes • CryptoNight hashing function • Monero • 2MB

     memory buffer • Uses AES-NI found on most modern x86_64 CPUs • ASICs: 0.2M h/s @ 2.27 w/KH • Litecoin ASIC: 504M h/s @ 1.58 w/MH • Bitcoin ASIC: 2,100,000M h/s and 0.043 w/MH • Also, Monero adjusted PoW algo. so these devices don’t work for Monero anymore https://www.hashespersecond.com/asic/

158. So, a victim’s computer could feasibly mine Monero

159. Oh yeah, Javascript

160. With Web APIs you get: • Efficient processing to complete

     the proof-of-work hashing • Web Workers & WebAssembly • Efficient networking to communicate with the distributed peer-to-peer nodes • Web Sockets

161. Cryptojacking! <script src=“https://coinhive.com/lib/coinhive.min.js"></script>

162. coinhive.min.js

163. CoinHive Malware Analysis • Creates WebWorker with number of threads

     == number of CPU cores available (up to 8 max) • Loads WebAssembly program into worker for mining (default throttle to 100% CPU usage!) • Creates WebSocket connection between server and browser • Server notifies browser if new blocks are found and sends new transactions to browser

164. • threads - number of WebWorkers to use; defaults to

     using as many cores as possible • throttle - fraction of time threads should be idle; defaults to “0” https://webcache.googleusercontent.com/search?q=cache:https://coinhive.com/documentation/miner

165. Check if already loaded; if not, download; _startNow() when ready

166. Don’t run in multiple tabs (how nice of them!)

167. we’re not maxing out the cores?! spawn more worker jobs!

     Note: this._threads for later

168. Finally! new Worker()

169. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

170. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

171. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

172. https://www.slideshare.net/enriqueoriol7/boost-your-angular-app-with-web-workers

173. Finally! new Worker()

174. lots of js, including WebAssembly, as an object URL Note:

     WEBSOCKET_SHARDS for later …
175. None
176. None

177. back in startNow, _connect to servers for block updates

178. new WebSocket to a random server from WEBSOCKET_SHARDS Note: remember

     WEBSOCKET_SHARDS from before?

179. new WebSocket()

180. Traditional HTTP “polling” adds repeated request + response overhead https://www.pubnub.com/blog/2014-10-01-websockets-and-long-polling-in-javascript-ruby-and-python/

181. WebSocket allows bidirectional messaging

182. 1K messages over time WebSocket vs. REST (HTTP) http://blog.arungupta.me/rest-vs-websocket-comparison-benchmarks/

183. new WebSocket to a random server from WEBSOCKET_SHARDS

184. Note: remember this._threads from before?

185. None

186. How to get this into browsers?

187. Ask websites to include it

188. Mozilla research • Crawl Alexa Top 10k looking for <script>

     tags to one of the 212 crypto-jacking hosts in adblock-nocoin-list • Of 6M <script> calls, 945 (0.015%) use crypto-jacking script • number of crypto-jacking hosts used: 11 (5.2% of known hosts) • number of CoinHive scripts: 507 (54%) • Majority of domains detected with crypto-jacking were streaming sites https://github.com/mozilla/UCOSP-winter-2018_TrackingTechnologies/blob/master/analyses/cryptojacking/cryptojacking_analysis.ipynb

189. Note: coinhive.com is now gone; only authedmine.com remains

190. malvertising

191. Malvertising research

192. Man-in-the-middle injection bettercap.org

193. mitm crypto-miner.js caplet from bettercap

194. What to do about it?

195. First: Add known
 crypto-miners to our block-list

196. None

197. Done • Go to about:config • Search for urlclassifier.trackingTable •

     add tracking-protection-base-cryptomining and tracking-protection-content-cryptomining

198. As of Tuesday, it’s even easier!

199. None
200. None

201. Use Machine-Learning and other heuristics to detect crypto-mining JS

202. “Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-

     class learning” • Summary:
 Training a classifier to detect JS tracking code • Conducted by:
 • Data Source:
 Web crawl of Alexa top 50
 45 random sites from Alexa 5,000-45,000 • Machine Learning Algorithms/Methods:
 Support Vector Machine, Positive & Unlabeled • Data features:
 JavaScript semantic & syntactic tokens and n-grams • Results • 99% true positives for one-class Support Vector Machine https://www.degruyter.com/downloadpdf/j/popets.2017.2017.issue-1/popets-2017-0006/popets-2017-0006.pdf

203. Questions? • Crypto -> Blockchain • Bitcoin • Web Workers,

     Web Assembly • Web Sockets • Preventing • Luke Crouch • @groovecoder • speakerdeck.com/groovecoder • github.com/groovecoder