Abstract
Research showed that microarchitectural attacks like cache attacks can be performed through websites using JavaScript. These timing attacks allow an adversary to spy on users secrets such as their keystrokes, leveraging fine-grained timers. However, the W3C and browser vendors responded to this significant threat by eliminating fine-grained timers from JavaScript. This renders previous high-resolution microarchitectural attacks non-applicable.
We demonstrate the inefficacy of this mitigation by finding and evaluating a wide range of new sources of timing information. We develop measurement methods that exceed the resolution of official timing sources by 3 to 4 orders of magnitude on all major browsers, and even more on Tor browser. Our timing measurements do not only re-enable previous attacks to their full extent but also allow implementing new attacks. We demonstrate a new DRAM-based covert channel between a website and an unprivileged app in a virtual machine without network hardware. Our results emphasize that quick-fix mitigations can establish a dangerous false sense of security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Christensen, A.: Reduce resolution of performance.now (2015). https://bugs.webkit.org/show_bug.cgi?id=146531
Bernstein, D.J.: Cache-Timing Attacks on AES (2004). http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
Zbarsky, B.: Reduce resolution of performance.now. https://hg.mozilla.org/integration/mozilla-inbound/rev/48ae8b5e62ab
Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: WWW 2007 (2007)
Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In: S&P 2016 (2016)
Chromium: window.performance.now does not support sub-millisecond precision on Windows (2015). https://bugs.chromium.org/p/chromium/issues/detail?id=158234#c110
Chromium Bug Tracker: HTML5 nested workers are not supported in chromium (2010). https://bugs.chromium.org/p/chromium/issues/detail?id=31666. Accessed 18 Oct 2016
Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: CCS 2000 (2000)
Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_15
Gullasch, D., Bangerter, E., Krenn, S.: Cache games – bringing access-based cache attacks on AES to practice. In: S&P 2011 (2011)
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 760–771. ACM (2012)
Hu, W.M.: Lattice scheduling and covert channels. In: S&P 1992, pp. 52–61 (1992)
Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javascript web applications. In: CCS 2010 (2010)
Jia, Y., Dong, X., Liang, Z., Saxena, P.: I know where you’ve been: geo-inference attacks via the browser cache. IEEE Internet Comput. 19(1), 44–53 (2015)
Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kohlbrenner, D., Shacham, H.: Fuzzyfox (2016). https://github.com/dkohlbre/gecko-dev/tree/fuzzyfox. Accessed 23 January 2017
Kohlbrenner, D., Shacham, H.: Trusted browsers for uncertain times. In: USENIX Security Symposium (2016)
Hansen, L.T.: Shared memory: Side-channel information leaks (2016). https://github.com/tc39/ecmascript_sharedmem/blob/master/issues/TimingAttack.md
Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: USENIX Security Symposium (2016)
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P 2015 (2015)
Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: Proceedings of the 39th International Symposium on Computer Architecture (ISCA 2012) (2012)
Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_3
Maurice, C., Weber, M., Schwarz, M., Giner, L., Gruss, D., Alberto Boano, C., Mangard, S., Römer, K.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS 2017 (2017, to appear)
Perry, M.: Bug 1517: Reduce precision of time for Javascript (2015). https://gitweb.torproject.org/user/mikeperry/tor-browser.git/commit/?h=bug1517
Mozilla Developer Network: Concurrency model and Event Loop (2016). https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop
Mozilla Inc.: Ecmascript shared memory and atomics (2016). http://tc39.github.io/ecmascript_sharedmem/shmem.html
Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The Spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS 2015 (2015)
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1
Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. Cryptology ePrint Archive, Report 2002/169 (2002)
Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)
Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: USENIX Security Symposium (2016)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My cloud: exploring information leakage in third-party compute clouds. In: CCS 2009 (2009)
Seaborn, M.: Comment on ecmascript shared memory and atomics (2015). https://github.com/tc39/ecmascript_sharedmem/issues/1#issuecomment-144171031
Stone, P.: Pixel perfect timing attacks with HTML5. Context Information Security (White Paper) (2013)
U.S. Department of Defense: Trusted computing system evaluation “the orange book”. Technical report 5200.28-STD (1985)
Van Goethem, T., Joosen, W., Nikiforakis, N.: The clock is still ticking: timing attacks in the modern web. In: CCS 2015 (2015)
Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in xen. In: CCSW 2011 (2011)
W3C: CSS Animations (2016). https://www.w3.org/TR/css3-animations/
W3C: High Resolution Time Level 2 (2016). https://www.w3.org/TR/hr-time/
Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: leaking browsing history via user interaction and side channel attacks. In: S&P 2011 (2011)
WHATWG: HTML Living Standard – Timers (2016). https://html.spec.whatwg.org/multipage/webappapis.html#timers. Accessed 18 Oct 2016
Wong, H.: Intel Ivy Bridge Cache Replacement Policy. http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/. Accessed 18 Oct 2016
Wray, J.C.: An analysis of covert timing channels. J. Comput. Secur. 1(3–4), 219–232 (1992)
Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Netw. PP(99), 1 (2014)
Xiao, J., Xu, Z., Huang, H., Wang, H.: A covert channel construction in a virtualized environment. In: CCS 2012 (2012)
Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: CCSW 2011 (2011)
Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)
Acknowledgments
We would like to thank our shepherd Jean Paul Degabriele, Georg Koppen from the Tor Browser project as well as all our anonymous reviewers. We would also like to thank the major browser vendors for their quick responses when reporting our findings. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 681402).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A JavaScript Code
A JavaScript Code
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Schwarz, M., Maurice, C., Gruss, D., Mangard, S. (2017). Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-70972-7_13
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70971-0
Online ISBN: 978-3-319-70972-7
eBook Packages: Computer ScienceComputer Science (R0)