TY - GEN
T1 - A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks
AU - Srinivasa, Shreyas
AU - Georgoulias, Dimitrios
AU - Pedersen, Jens Myrup
AU - Vasilomanolakis, Emmanouil
PY - 2022/3
Y1 - 2022/3
N2 - Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.
AB - Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.
KW - online IDE
KW - uncontrolled execution
UR - http://www.scopus.com/inward/record.url?scp=85134175974&partnerID=8YFLogxK
U2 - 10.1109/EuroSPW55150.2022.00015
DO - 10.1109/EuroSPW55150.2022.00015
M3 - Article in proceeding
SN - 978-1-6654-9561-5
T3 - IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
SP - 82
EP - 92
BT - IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations
PB - IEEE
T2 - 2022 IEEE European Symposium on Security and Privacy Workshops
Y2 - 6 June 2022 through 10 June 2022
ER -