A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Shreyas Srinivasa; Dimitrios Georgoulias; Jens Myrup Pedersen; Emmanouil Vasilomanolakis

doi:10.1109/EuroSPW55150.2022.00015

A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Shreyas Srinivasa, Dimitrios Georgoulias, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

272 Downloads (Pure)

Abstract

Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

Original language	English
Title of host publication	IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations
Number of pages	11
Publisher	IEEE
Publication date	Mar 2022
Pages	82-92
Article number	9799405
ISBN (Print)	978-1-6654-9561-5
ISBN (Electronic)	978-1-6654-9560-8
DOIs	https://doi.org/10.1109/EuroSPW55150.2022.00015
Publication status	Published - Mar 2022
Event	2022 IEEE European Symposium on Security and Privacy Workshops - Genoa, Italy Duration: 6 Jun 2022 → 10 Jun 2022

Conference

Conference	2022 IEEE European Symposium on Security and Privacy Workshops
Country/Territory	Italy
City	Genoa
Period	06/06/2022 → 10/06/2022

Series	IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
ISSN	2768-0657

Keywords

online IDE
uncontrolled execution

Access to Document

10.1109/EuroSPW55150.2022.00015

BadIDEaAccepted author manuscript, 908 KB

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

Srinivasa, S., Georgoulias, D., Pedersen, J. M., & Vasilomanolakis, E. (2022). A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. In IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations (pp. 82-92). [9799405] IEEE. IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) https://doi.org/10.1109/EuroSPW55150.2022.00015

@inproceedings{e4e2c166b2544f83b17342274dbe8657,

title = "A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks",

abstract = "Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.",

keywords = "online IDE, uncontrolled execution",

author = "Shreyas Srinivasa and Dimitrios Georgoulias and Pedersen, {Jens Myrup} and Emmanouil Vasilomanolakis",

year = "2022",

month = mar,

doi = "10.1109/EuroSPW55150.2022.00015",

language = "English",

isbn = "978-1-6654-9561-5",

series = "IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)",

publisher = "IEEE",

pages = "82--92",

booktitle = "IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations",

address = "United States",

note = "2022 IEEE European Symposium on Security and Privacy Workshops ; Conference date: 06-06-2022 Through 10-06-2022",

}

Srinivasa, S , Georgoulias, D , Pedersen, JM & Vasilomanolakis, E 2022, A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. in IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations., 9799405, IEEE, IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 82-92, 2022 IEEE European Symposium on Security and Privacy Workshops, Genoa, Italy, 06/06/2022. https://doi.org/10.1109/EuroSPW55150.2022.00015

A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. / Srinivasa, Shreyas ; Georgoulias, Dimitrios ; Pedersen, Jens Myrup et al.
IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations. IEEE, 2022. p. 82-92 9799405 (IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)).

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

TY - GEN

T1 - A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

AU - Srinivasa, Shreyas

AU - Georgoulias, Dimitrios

AU - Pedersen, Jens Myrup

AU - Vasilomanolakis, Emmanouil

PY - 2022/3

Y1 - 2022/3

N2 - Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

AB - Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

KW - online IDE

KW - uncontrolled execution

UR - http://www.scopus.com/inward/record.url?scp=85134175974&partnerID=8YFLogxK

U2 - 10.1109/EuroSPW55150.2022.00015

DO - 10.1109/EuroSPW55150.2022.00015

M3 - Article in proceeding

SN - 978-1-6654-9561-5

T3 - IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

SP - 82

EP - 92

BT - IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations

PB - IEEE

T2 - 2022 IEEE European Symposium on Security and Privacy Workshops

Y2 - 6 June 2022 through 10 June 2022

ER -

Srinivasa S , Georgoulias D , Pedersen JM, Vasilomanolakis E. A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks. In IEEE European Symposium on Security and Privacy, Workshop on Attackers and Cyber-Crime Operations. IEEE. 2022. p. 82-92. 9799405. (IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)). doi: 10.1109/EuroSPW55150.2022.00015

A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Abstract

Conference

Keywords

Access to Document

AUB Link

Other files and links

Fingerprint

Cite this