Top

Published in:

2017 | OriginalPaper | Chapter

Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript

Authors : Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard

Published in: Financial Cryptography and Data Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Research showed that microarchitectural attacks like cache attacks can be performed through websites using JavaScript. These timing attacks allow an adversary to spy on users secrets such as their keystrokes, leveraging fine-grained timers. However, the W3C and browser vendors responded to this significant threat by eliminating fine-grained timers from JavaScript. This renders previous high-resolution microarchitectural attacks non-applicable.

We demonstrate the inefficacy of this mitigation by finding and evaluating a wide range of new sources of timing information. We develop measurement methods that exceed the resolution of official timing sources by 3 to 4 orders of magnitude on all major browsers, and even more on Tor browser. Our timing measurements do not only re-enable previous attacks to their full extent but also allow implementing new attacks. We demonstrate a new DRAM-based covert channel between a website and an unprivileged app in a virtual machine without network hardware. Our results emphasize that quick-fix mitigations can establish a dangerous false sense of security.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter PEEP: Passively Eavesdropping Private Input via Brainwave Signals

next chapter Attacks on Secure Logging Schemes

Available only for authorised users

Christensen, A.: Reduce resolution of performance.now (2015). https://bugs.webkit.org/show_bug.cgi?id=146531

Bernstein, D.J.: Cache-Timing Attacks on AES (2004). http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

Zbarsky, B.: Reduce resolution of performance.now. https://hg.mozilla.org/integration/mozilla-inbound/rev/48ae8b5e62ab

Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: WWW 2007 (2007)

Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In: S&P 2016 (2016)

Chromium: window.performance.now does not support sub-millisecond precision on Windows (2015). https://bugs.chromium.org/p/chromium/issues/detail?id=158234#c110

Chromium Bug Tracker: HTML5 nested workers are not supported in chromium (2010). https://bugs.chromium.org/p/chromium/issues/detail?id=31666. Accessed 18 Oct 2016

Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: CCS 2000 (2000)

Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_15CrossRef

10.

Gullasch, D., Bangerter, E., Krenn, S.: Cache games – bringing access-based cache attacks on AES to practice. In: S&P 2011 (2011)

11.

Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 760–771. ACM (2012)

12.

Hu, W.M.: Lattice scheduling and covert channels. In: S&P 1992, pp. 52–61 (1992)

13.

Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javascript web applications. In: CCS 2010 (2010)

14.

Jia, Y., Dong, X., Liang, Z., Saxena, P.: I know where you’ve been: geo-inference attacks via the browser cache. IEEE Internet Comput. 19(1), 44–53 (2015)CrossRef

15.

Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)

16.

Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9CrossRef

17.

Kohlbrenner, D., Shacham, H.: Fuzzyfox (2016). https://github.com/dkohlbre/gecko-dev/tree/fuzzyfox. Accessed 23 January 2017

18.

Kohlbrenner, D., Shacham, H.: Trusted browsers for uncertain times. In: USENIX Security Symposium (2016)

19.

Hansen, L.T.: Shared memory: Side-channel information leaks (2016). https://github.com/tc39/ecmascript_sharedmem/blob/master/issues/TimingAttack.md

20.

Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: USENIX Security Symposium (2016)

21.

Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P 2015 (2015)

22.

Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: Proceedings of the 39th International Symposium on Computer Architecture (ISCA 2012) (2012)

23.

Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_3CrossRef

24.

Maurice, C., Weber, M., Schwarz, M., Giner, L., Gruss, D., Alberto Boano, C., Mangard, S., Römer, K.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS 2017 (2017, to appear)

25.

Perry, M.: Bug 1517: Reduce precision of time for Javascript (2015). https://gitweb.torproject.org/user/mikeperry/tor-browser.git/commit/?h=bug1517

26.

Mozilla Developer Network: Concurrency model and Event Loop (2016). https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop

27.

Mozilla Inc.: Ecmascript shared memory and atomics (2016). http://tc39.github.io/ecmascript_sharedmem/shmem.html

28.

Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The Spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS 2015 (2015)

29.

Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1CrossRef

30.

Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. Cryptology ePrint Archive, Report 2002/169 (2002)

31.

Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)

32.

Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: USENIX Security Symposium (2016)

33.

Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My cloud: exploring information leakage in third-party compute clouds. In: CCS 2009 (2009)

34.

Seaborn, M.: Comment on ecmascript shared memory and atomics (2015). https://github.com/tc39/ecmascript_sharedmem/issues/1#issuecomment-144171031

35.

Stone, P.: Pixel perfect timing attacks with HTML5. Context Information Security (White Paper) (2013)

36.

U.S. Department of Defense: Trusted computing system evaluation “the orange book”. Technical report 5200.28-STD (1985)

37.

Van Goethem, T., Joosen, W., Nikiforakis, N.: The clock is still ticking: timing attacks in the modern web. In: CCS 2015 (2015)

38.

Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in xen. In: CCSW 2011 (2011)

39.

W3C: CSS Animations (2016). https://www.w3.org/TR/css3-animations/

40.

W3C: High Resolution Time Level 2 (2016). https://www.w3.org/TR/hr-time/

41.

Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: leaking browsing history via user interaction and side channel attacks. In: S&P 2011 (2011)

42.

WHATWG: HTML Living Standard – Timers (2016). https://html.spec.whatwg.org/multipage/webappapis.html#timers. Accessed 18 Oct 2016

43.

Wong, H.: Intel Ivy Bridge Cache Replacement Policy. http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/. Accessed 18 Oct 2016

44.

Wray, J.C.: An analysis of covert timing channels. J. Comput. Secur. 1(3–4), 219–232 (1992)CrossRef

45.

Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Netw. PP(99), 1 (2014)

46.

Xiao, J., Xu, Z., Huang, H., Wang, H.: A covert channel construction in a virtualized environment. In: CCS 2012 (2012)

47.

Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: CCSW 2011 (2011)

48.

Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)

Title: Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Authors: Michael Schwarz
Clémentine Maurice
Daniel Gruss
Stefan Mangard
Publisher: Springer International Publishing
Book: Financial Cryptography and Data Security
Print ISBN: 978-3-319-70971-0

Electronic ISBN: 978-3-319-70972-7

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-70972-7_13

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner