1

Abusing Cloud-Based Browsers for Fun and

Profit

Vasant Tendulkar, Joe Pletcher, Ashwin Shashidharan,Ryan Snyder, Kevin Butler, William Enck

2012 Annual Computer Security Applications Conference

2

IntroductionApproach overviewBrowser resource limitationsDesigning and scheduling jobsEvaluationDiscussion

Outline

3

Pay-per-use computationEC2

Cloud-based Web browsersJavaScript executes on the server

Arbitrary general-purpose computation within cloud-based browsers

Browser MapReduce(BMR)Mapper.jsReducer.js

Introduction

4

Approach overview(1)

5

Cloud browsers have articial limitationsMappers cannot use local storage to

communicate intermediate resultsBit.ly

Encode URLs up to 2022 characters in lengthRate-limits requests to 99 per IP address per

minute

Job scheduling

Approach overview(2)

6

BenchmarksComputationElapsed TimeMemory

Cloud browsersAmazon SilkCloud BrowseOpera MiniPuffin

Browser resource limitations

7

Benchmarks(1)

8

Benchmarks(2)

9

Benchmark Results

10

Map and reduce abstractionScheduling jobsExample applications

Word CountDistributed GrepDistributed Sort

Designing and scheduling jobs

11

Mapper Abstraction

12

Reducer Abstraction

13

To effectively use cloud browser an URL shortening service resource

AssumeInput is divided into a large number of equally

sized filesMapper schedulingReducer scheduling

Scheduling Jobs(1)

14

Scheduling Jobs(2)

15

Master determinesMn, the number of mappers to spawnMf, the number of input files to pass to each

mapper

Mapper Scheduling(1)

Assumes fs is several times smaller than bs

16

Rate limiting of URL shortening services

Bit.lyEncode URLs up to 2022 characters in length, Us =

2022Rate-limits requests to 99 per IP address per

minute, Un = 99

Mapper Scheduling(2)

17

Application speficbucket in bucket sortPartition in word count

Reducer Scheduling

18

Word Counthttp://foo.com/?word1=5&word2=7&...

Distributed Grephttp://foo.com/?

bar1.txt=45&bar1.txt=48&bar2.txt=34Distributed Sort

TeraSorthttp://foo.com/?

key1=file1&key2=file2&key3=file3

Example Applications

19

Experiment setupWord Count

100 most downloaded books from www.gutenberg.com/ebooks/

Distributed GrepIRC logs for the #debian channel

Distributed SortHadoop teragenA 10 character key and an 88 character value

Evaluation

20

Evaluation - results(1)

21

Evaluation - results(2)

22

Recommendations for Cloud Browser ProvidersRate limits on authenticated user

Enhancing BMRUsing multiple cloud browserCombination of URL shortening services

Discussion

23

THE END