They developed a series of CPU cache recovery attacks on web browsers without requiring JavaScript

A team of researchers from various universities Americans, Israelis and Australians has developed three attacks targeting web browsers that allow the extraction of information about the content of the processor cache. A method works in browsers without JavaScript and the other two bypass existing protection methods against attacks through third-party channels, including those used in the Tor browser and DeterFox.

To analyze the contents of the cache in all attacks use the "Prime + Probe" method, what involves filling the cache with a set of reference values ​​and determining changes by measuring access time to them when recharged. In order to bypass the security mechanisms present in browsers, which prevent accurate time measurement, in two versions a controlled attacking DNS or WebSocket server is called upon, which keeps a record of the time of receipt of requests. In one embodiment, the fixed DNS response time is used as a time reference.

Measurements made using external DNS servers or WebSocket, thanks to the use of a classification system based on machine learning, were sufficient to predict values ​​with an accuracy of 98% in the most optimal scenario (on average 80-90%). The attack methods have been tested on various hardware platforms (Intel, AMD Ryzen, Apple M1, Samsung Exynos) and have proven to be versatile.

The first variant of the DNS Racing attack uses a classic implementation of the Prime + Probe method using JavaScript arrays. The differences come down to the use of an external DNS-based timer and an error handler that fires when trying to load an image from a non-existent domain. The external timer allows Prime + Probe attacks in browsers that restrict or completely disable JavaScript timer access.

For a DNS server hosted on the same Ethernet network, the precision of the timer is estimated to be about 2 ms, which is enough to carry out a side channel attack (for comparison: the precision of the standard JavaScript timer in the Tor browser has been reduced to 100ms). For the attack, no control over the DNS server is required, since the execution time of the operation is selected so that the DNS response time serves as a signal of an early completion of the verification (depending on whether the error handler was triggered earlier or later). , it is concluded that the verification operation with the cache is completed) ...

The second "String and Sock" attack is designed to bypass security techniques which restrict the use of low-level JavaScript arrays. Instead of arrays, String and Sock uses operations on very large strings, the size of which is chosen so that the variable covers the entire LLC cache (top-level cache).

Next, using the indexOf () function, a small substring is searched in the string, which is initially absent in the original string, that is, the search operation results in an iteration over the entire string. Since the size of the line corresponds to the size of the LLC cache, the scan enables a cache check operation to be performed without manipulating arrays. To measure delays, instead of DNS, this is an appeal to an attacking WebSocket server controlled by the attacker: before the start and after the end of the search operation, requests are sent in the chain,

The third version of the attack "CSS PP0" through HTML and CSS, and can work in browsers with JavaScript disabled. This method looks like "String and Sock" but is not bound to JavaScript. The attack generates a set of CSS selectors that search by mask. The great original line that fills the cache is set by creating a div tag with a very large class name, andn which inside there is a set of other divs with their own identifiers.

Each one of these nested divs are styled with a selector that looks for a substring. When rendering the page, the browser first tries to process the inner divs, which results in a search on a large string. The search is done using an obviously missing mask and leads to an iteration of the entire string, after which the "no" condition is triggered and an attempt is made to load the background image.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.