Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Nascar

Pest control in the Cloud

by Juniper Employee ‎12-11-2012 12:38 PM - edited ‎12-11-2012 12:40 PM

One of the reasons I like reading security research papers is those Aha! moments they bring. Here is my recent favorite: a team of university researchers has published their work named “Abusing Cloud-Based Browsers for Fun and Profit”. It surely is worth attention. I mean, how often do you see “for fun” in academic papers?? Let’s take a look at the technical content.

 

What is a cloud-based browser? Basically it is software as a service that takes an Internet URL, loads and renders the web page content, and presents it to the end user in a lightweight, optimized form. Mainly targeted at mobile users, such services shift all computational heavy-lifting to powerful dedicated servers, resulting in improved user experience in the mobile browser. In other words, you command the cloud service to load the sites you want, and it will do so, including images, Flash and Javascript components.

 

And here’s the key: if one’s a hacker with bad intentions, she may craft a malicious web page, and direct the cloud-based browser to it. The malicious Javascript will be executed in the browser, but not in the hacker’s one. Aha! Effectively, by manipulating the malicious page, an attacker will be able to limitedly control this remote computing resource residing in the public cloud. And if she is able to automate it and circumvent some of the restrictions imposed by the service, then it becomes possible to build a botnet made of cloud browsers – easy, and free. Such bots will be limited in what they can do, compared to “traditional” botnets – web sessions expire, pages are subject to same origin policy; browser engines utilize security sandboxing. There are CPU, memory and bandwidth quotas. But even with these limited resources the botnet may be good enough to mount a DDoS attack or run a distributed password cracking calculation. Or even compete with Amazon’s Elastic Map Reduce, as researchers have demonstrated in the paper (I recommend reading the full original).

 

This attack is classified as a form of parasitic computing – exploiting of someone else’s processing resources. Software companies building their cloud services should design them with security in mind and be ready for “pest control” in their infrastructure. Of course no architecture is perfect, especially as we see more researchers getting progressively interested in all about the cloud. Expect more to come.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Paul Bristow
Senior Director
Product Management

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Henrik Davidsson
Director
Security Sales

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Steve Hanna
Distinguished Engineer

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.