MineThrottle: Defending against Wasm In-Browser Cryptojacking

In-browser cryptojacking is an urgent threat to web users, where an attacker abuses the users’ computing resources without obtaining their consent. In-browser mining programs are usually developed in WebAssembly (Wasm) for its great performance. Several prior works have measured cryptojacking in the wild and proposed detection methods using static features and dynamic features. However, there exists no good defense mechanism within the user’s browser to stop the malicious drive-by mining behavior. In this work, we propose MineThrottle, a browser-based defense mechanism against Wasm cryptojacking. MineThrottle instruments Wasm code on the fly to detect mining behavior using block-level program profiling. It then throttles drive-by mining behavior based on a user-configurable policy. Our evaluation of MineThrottle with the Alexa top 1M websites demonstrates that it can accurately detect and mitigate in-browser cryptojacking with both a low false positive rate and a low false negative rate.