To analyze the contents of the cache in all attacks use the "Prime + Probe" method The Center involves filling the cache with a set of reference values and determining changes by measuring access time to them when recharged. In order to bypass the security mechanisms present in browsers, which prevent accurate time measurement, in two versions a controlled attacking DNS or WebSocket server is called upon, which keeps a record of the time of receipt of requests. In one embodiment, the fixed DNS response time is used as a time reference.
Measurements made using external DNS servers or WebSocket, thanks to the use of a classification system based on machine learning, were sufficient to predict values with an accuracy of 98% in the most optimal scenario (on average 80-90%). The attack methods have been tested on various hardware platforms (Intel, AMD Ryzen, Apple M1, Samsung Exynos) and have proven to be versatile.
Next, using the indexOf () function, a small substring is searched in the string, which is initially absent in the original string, that is, the search operation results in an iteration over the entire string. Since the size of the line corresponds to the size of the LLC cache, the scan enables a cache check operation to be performed without manipulating arrays. To measure delays, instead of DNS, this is an appeal to an attacking WebSocket server controlled by the attacker: before the start and after the end of the search operation, requests are sent in the chain,
Each one of these nested divs are styled with a selector that looks for a substring. When rendering the page, the browser first tries to process the inner divs, which results in a search on a large string. The search is done using an obviously missing mask and leads to an iteration of the entire string, after which the "no" condition is triggered and an attempt is made to load the background image.