5. We exploit 2 different shared Event Loops in Chrome:
6. We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
7. We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
And implement 3 different attacks:
8. Page Identification
And implement 3 different attacks:
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
9. And implement 3 different attacks:
19780.000 19785.000 19790.000 19795.000 19800.000 19805.000
0.02
0.04
0.06
0.10
0.20
0.40
1.00
2.00
4.00
10.00
Inter-keystroke
Timing
Page Identification
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
10. We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
And implement 3 different attacks:
Page Identification Covert Channel
19780.000 19785.000 19790.000 19795.000 19800.000 19805.000
0.02
0.04
0.06
0.10
0.20
0.40
1.00
2.00
4.00
10.00
Inter-keystroke
Timing
40. <script>
function loop () {
save(performance.now());
fetch(new Request("http://0/"))
.catch(loop);
}
loop();
</script>
Timing resolution of ~500 μs
Spying on the Host
41. Timing resolution of ~500 μs
With some smarter techniques we obtain <100 μs
(see the paper)
<script>
function loop () {
save(performance.now());
fetch(new Request("http://0/"))
.catch(loop);
}
loop();
</script>
Spying on the Host
58. Inter-keystroke Timing
More precision than network based attacks.
Less noise than in micro-architectural attacks.
No privileges. No training.
10.000 passwords
90% accuracy
precision: σ = 6.1 ms
61. Conclusions
• Shared event loops in Chrome are vulnerable to
timing side-channels
• We systematically study how this channel can be
used for different attacks
• Fundamental design issues that need to be
addressed