A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Shreyas Srinivasa; Dimitrios Georgoulias; Jens Myrup Pedersen; Emmanouil Vasilomanolakis

doi:10.1109/EuroSPW55150.2022.00015

A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Shreyas Srinivasa, Dimitrios Georgoulias, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

357 Downloads (Pure)

Abstract

Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

Originalsprog	Engelsk
Titel	IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations
Antal sider	11
Forlag	IEEE
Publikationsdato	mar. 2022
Sider	82-92
Artikelnummer	9799405
ISBN (Trykt)	978-1-6654-9561-5
ISBN (Elektronisk)	978-1-6654-9560-8
DOI	https://doi.org/10.1109/EuroSPW55150.2022.00015
Status	Udgivet - mar. 2022
Begivenhed	2022 IEEE European Symposium on Security and Privacy Workshops - Genoa, Italien Varighed: 6 jun. 2022 → 10 jun. 2022

Konference

Konference	2022 IEEE European Symposium on Security and Privacy Workshops
Land/Område	Italien
By	Genoa
Periode	06/06/2022 → 10/06/2022

Navn	IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
ISSN	2768-0657

Adgang til dokumentet

10.1109/EuroSPW55150.2022.00015

BadIDEaAccepteret manuskript, 908 KB

AUB Link

Søg efter materialet i Aalborg Universitetsbiblioteks søgemaskine

Andre filer og links

Link to publication in Scopus

Citationsformater

@inproceedings{e4e2c166b2544f83b17342274dbe8657,

title = "A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks",

abstract = "Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.",

keywords = "online IDE, uncontrolled execution",

author = "Shreyas Srinivasa and Dimitrios Georgoulias and Pedersen, {Jens Myrup} and Emmanouil Vasilomanolakis",

year = "2022",

month = mar,

doi = "10.1109/EuroSPW55150.2022.00015",

language = "English",

isbn = "978-1-6654-9561-5",

series = "IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)",

publisher = "IEEE",

pages = "82--92",

booktitle = "IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations",

address = "United States",

note = "2022 IEEE European Symposium on Security and Privacy Workshops ; Conference date: 06-06-2022 Through 10-06-2022",

}

Srinivasa, S, Georgoulias, D, Pedersen, JM & Vasilomanolakis, E 2022, A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. i IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations., 9799405, IEEE, IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), s. 82-92, 2022 IEEE European Symposium on Security and Privacy Workshops, Genoa, Italien, 06/06/2022. https://doi.org/10.1109/EuroSPW55150.2022.00015

A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. / Srinivasa, Shreyas; Georgoulias, Dimitrios; Pedersen, Jens Myrup et al.
IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations. IEEE, 2022. s. 82-92 9799405 (IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)).

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

TY - GEN

T1 - A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

AU - Srinivasa, Shreyas

AU - Georgoulias, Dimitrios

AU - Pedersen, Jens Myrup

AU - Vasilomanolakis, Emmanouil

PY - 2022/3

Y1 - 2022/3

N2 - Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

AB - Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

KW - online IDE

KW - uncontrolled execution

UR - http://www.scopus.com/inward/record.url?scp=85134175974&partnerID=8YFLogxK

U2 - 10.1109/EuroSPW55150.2022.00015

DO - 10.1109/EuroSPW55150.2022.00015

M3 - Article in proceeding

SN - 978-1-6654-9561-5

T3 - IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

SP - 82

EP - 92

BT - IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations

PB - IEEE

T2 - 2022 IEEE European Symposium on Security and Privacy Workshops

Y2 - 6 June 2022 through 10 June 2022

ER -

Srinivasa S, Georgoulias D, Pedersen JM, Vasilomanolakis E. A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. I IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations. IEEE. 2022. s. 82-92. 9799405. (IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)). doi: 10.1109/EuroSPW55150.2022.00015

A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Abstract

Konference

Adgang til dokumentet

AUB Link

Andre filer og links

Fingeraftryk

Citationsformater