Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Loophole: Timing Attacks on Shared Event Loops in Chrome
Semelhante a Loophole: Timing Attacks on Shared Event Loops in Chrome (20)
Último
Último (20)
Loophole: Timing Attacks on Shared Event Loops in Chrome
- 1. Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Köpf vwzq.net @cgvwzq github.com/cgvwzq
- 2. EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW
- 3. EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW
- 5. We exploit 2 different shared Event Loops in Chrome:
- 6. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
- 7. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement 3 different attacks:
- 8. Page Identification And implement 3 different attacks: We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
- 9. And implement 3 different attacks: 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 Inter-keystroke Timing Page Identification We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
- 10. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement 3 different attacks: Page Identification Covert Channel 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 Inter-keystroke Timing
- 19. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
- 21. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
- 22. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
- 23. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
- 24. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
- 25. FIFO queue Dispatcher time e0 e1 e3 e2 Shared Event Loop
- 26. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
- 27. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
- 28. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
- 29. FIFO queue Dispatcher time e0 e1 e2 e4 e3 Shared Event Loop
- 30. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
- 31. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
- 32. FIFO queue Dispatcher time d0 d1 d2 d3 e0 e1 e2 e3 e4 Shared Event Loop
- 33. FIFO queue Dispatcher time Event-delay trace d0 d1 d2 d3 e0 e1 e2 e3 e4 Shared Event Loop
- 34. SYSTEM/INTERNET
- 36. HOST PROCESS SYSTEM/INTERNET • NETWORK REQUESTS • IPC COMMUNICATION • DISPATCHES USER ACTIONS
- 37. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 | SHARED BETWEEN ALL RENDERERS
- 38. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 |
- 39. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 | evil.com
- 40. <script> function loop () { save(performance.now()); fetch(new Request("http://0/")) .catch(loop); } loop(); </script> Timing resolution of ~500 μs Spying on the Host
- 41. Timing resolution of ~500 μs With some smarter techniques we obtain <100 μs (see the paper) <script> function loop () { save(performance.now()); fetch(new Request("http://0/")) .catch(loop); } loop(); </script> Spying on the Host
- 42. HOST PROCESS SYSTEM/INTERNET RENDERER 1 tab1 | trusted.com
- 43. HOST PROCESS SYSTEM/INTERNET RENDERER 1 • JAVASCRIPT EXECUTION • RESOURCE PARSING • LAYOUT & RENDERING tab1 | trusted.com
- 44. HOST PROCESS SYSTEM/INTERNET RENDERER 1 iframe | SHARED BETWEEN IFRAMES, POPUPS, MAX #RENDERER EXCEEDED… tab1 | trusted.com
- 45. HOST PROCESS SYSTEM/INTERNET RENDERER 1 iframe | evil.co tab1 | trusted.com
- 46. <script> function loop() { save(performance.now()); self.postMessage(0, "*"); } self.onmessage = loop; loop(); </script> Timing resolution of <25 μs Spying on the Renderer
- 47. Duration of Events in the Renderer loop() GC scavenge Mouse movement JS event handlers μ-arch events 25 μs 100 μs <1 ms >2 ms<5μs
- 48. Duration of Events Responsive code is harder to identify loop() GC scavenge Mouse movement JS event handlers μ-arch events 25 μs 100 μs <1 ms >2 ms<5μs
- 50. Web Page Identification & Inter-keystroke Timing
- 51. Web Page Identification Monitor the EventLoop while page loading
- 52. Dynamic Time Warping DTW is resistant to delays in the occurrence of events
- 53. Dynamic Time Warping DTW is resistant to delays in the occurrence of events 2-4 seconds of measuring
- 54. Dynamic Time Warping DTW is resistant to delays in the occurrence of events 2-4 seconds of measuring One trace for training
- 55. Web Page Identification 500 pages x 30 traces x 3 machines x 2 event loops Renderer’s main thread: Host’s I/O thread: 75% 23% (Linux desktop) (Macbook Pro) (recognition rates below 5% across machines) R-library and datasets: https://github.com/cgvwzq/rlang-loophole
- 56. Inter-keystroke Timing 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 We obtain the password length and time between consecutive pressed keys
- 57. Inter-keystroke Timing 10.000 passwords 90% accuracy precision: σ = 6.1 ms
- 58. Inter-keystroke Timing More precision than network based attacks. Less noise than in micro-architectural attacks. No privileges. No training. 10.000 passwords 90% accuracy precision: σ = 6.1 ms
- 59. Countermeasures • Reduce clock resolution • Site Isolation Project • CPU throttling • Rate limiting
- 60. Countermeasures • Reduce clock resolution • Site Isolation Project • CPU throttling • Rate limiting
- 61. Conclusions • Shared event loops in Chrome are vulnerable to timing side-channels • We systematically study how this channel can be used for different attacks • Fundamental design issues that need to be addressed