Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Loophole: Timing Attacks on Shared
Event Loops in Chrome
Pepe Vila and Boris Köpf
vwzq.net
@cgvwzq
github.com/cgvwzq
EVENT DRIVEN PROGRAMMING
SO HOT RIGHT NOW
EVENT DRIVEN PROGRAMMING
SO HOT RIGHT NOW
Source: http://berb.github.io/diploma-thesis/original/042_serverarch.html
We exploit 2 different shared Event Loops in Chrome:
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
And implement 3 ...
Page Identification
And implement 3 different attacks:
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Ho...
And implement 3 different attacks:
19780.000 19785.000 19790.000 19795.000 19800.000 19805.000
0.02
0.04
0.06
0.10
0.20
0....
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
And implement 3 ...
FIFO queue
Dispatcher
time
Shared Event Loop
FIFO queue
Dispatcher
time
e0
Shared Event Loop
FIFO queue
Dispatcher
time
e0
Shared Event Loop
FIFO queue
Dispatcher
time
e1
e0
Shared Event Loop
FIFO queue
Dispatcher
time
e1
e0
Shared Event Loop
FIFO queue
Dispatcher
time
e0
e1
Shared Event Loop
FIFO queue
Dispatcher
time
e0
e1
e2
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1
e2
Shared Event Loop
FIFO queue
Dispatcher
time
e0
e2
e1
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1
e2
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1
e2
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1
e2
e3
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2
e3
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1
e3
e2
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2
e3
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2
e3
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2
e3
e4
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2
e4
e3
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2 e3
e4
Shared Event Loop
FIFO queue
Dispatcher
time
e0 e1 e2 e3 e4
Shared Event Loop
FIFO queue
Dispatcher
time
d0 d1 d2 d3
e0 e1 e2 e3 e4
Shared Event Loop
FIFO queue
Dispatcher
time
Event-delay trace
d0 d1 d2 d3
e0 e1 e2 e3 e4
Shared Event Loop
SYSTEM/INTERNET
HOST PROCESS
SYSTEM/INTERNET
HOST PROCESS
SYSTEM/INTERNET
• NETWORK REQUESTS
• IPC COMMUNICATION
• DISPATCHES USER
ACTIONS
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1 RENDERER 2
tab1 | trusted.com tab 2 |
SHARED BETWEEN
ALL RENDERERS
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1 RENDERER 2
tab1 | trusted.com tab 2 |
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1 RENDERER 2
tab1 | trusted.com tab 2 | evil.com
<script>

function loop () {
save(performance.now());
fetch(new Request("http://0/"))
.catch(loop);
}
loop();
</script>
Ti...
Timing resolution of ~500 μs
With some smarter techniques we obtain <100 μs

(see the paper)
<script>

function loop () {
...
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
tab1 | trusted.com
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
• JAVASCRIPT EXECUTION
• RESOURCE PARSING
• LAYOUT & RENDERING
tab1 | trusted.com
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
iframe |
SHARED BETWEEN
IFRAMES, POPUPS,
MAX #RENDERER
EXCEEDED…
tab1 | trusted.com
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
iframe | evil.co
tab1 | trusted.com
<script>

function loop() {
save(performance.now());
self.postMessage(0, "*");
}
self.onmessage = loop;
loop();
</script>
...
Duration of Events in the Renderer


loop()
GC
scavenge
Mouse
movement
JS event
handlers
μ-arch
events
25 μs 100 μs <1 ms ...
Duration of Events
Responsive code is harder to identify


loop()
GC
scavenge
Mouse
movement
JS event
handlers
μ-arch
even...
LoopScan Tool
https://github.com/cgvwzq/loopscan
Web Page Identification
& Inter-keystroke Timing
Web Page Identification
Monitor the
EventLoop while
page loading
Dynamic Time Warping
DTW is resistant to delays in the occurrence of events
Dynamic Time Warping
DTW is resistant to delays in the occurrence of events
2-4 seconds of
measuring
Dynamic Time Warping
DTW is resistant to delays in the occurrence of events
2-4 seconds of
measuring
One trace for
training
Web Page Identification
500 pages x 30 traces x 3 machines x 2 event loops
Renderer’s main thread:
Host’s I/O thread:
75%
2...
Inter-keystroke Timing
19780.000 19785.000 19790.000 19795.000 19800.000 19805.000
0.02
0.04
0.06
0.10
0.20
0.40
1.00
2.00...
Inter-keystroke Timing
10.000 passwords
90% accuracy
precision: σ = 6.1 ms
Inter-keystroke Timing
More precision than network based attacks.
Less noise than in micro-architectural attacks.
No privi...
Countermeasures
• Reduce clock resolution
• Site Isolation Project
• CPU throttling
• Rate limiting
Countermeasures
• Reduce clock resolution
• Site Isolation Project
• CPU throttling
• Rate limiting
Conclusions
• Shared event loops in Chrome are vulnerable to
timing side-channels
• We systematically study how this chann...
62
Thank you! :)
Questions?
Loophole: Timing Attacks on Shared Event Loops in Chrome
Upcoming SlideShare
Loading in …5
×

of

Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 1 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 2 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 3 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 4 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 5 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 6 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 7 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 8 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 9 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 10 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 11 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 12 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 13 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 14 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 15 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 16 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 17 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 18 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 19 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 20 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 21 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 22 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 23 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 24 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 25 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 26 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 27 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 28 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 29 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 30 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 31 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 32 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 33 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 34 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 35 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 36 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 37 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 38 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 39 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 40 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 41 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 42 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 43 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 44 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 45 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 46 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 47 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 48 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 49 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 50 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 51 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 52 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 53 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 54 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 55 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 56 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 57 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 58 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 59 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 60 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 61 Loophole: Timing Attacks on Shared Event Loops in Chrome Slide 62
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Loophole: Timing Attacks on Shared Event Loops in Chrome

Download to read offline

Presentation at 26th USENIX Security Symposium

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Loophole: Timing Attacks on Shared Event Loops in Chrome

  1. 1. Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Köpf vwzq.net @cgvwzq github.com/cgvwzq
  2. 2. EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW
  3. 3. EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW
  4. 4. Source: http://berb.github.io/diploma-thesis/original/042_serverarch.html
  5. 5. We exploit 2 different shared Event Loops in Chrome:
  6. 6. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
  7. 7. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement 3 different attacks:
  8. 8. Page Identification And implement 3 different attacks: We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
  9. 9. And implement 3 different attacks: 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 Inter-keystroke Timing Page Identification We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
  10. 10. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement 3 different attacks: Page Identification Covert Channel 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 Inter-keystroke Timing
  11. 11. FIFO queue Dispatcher time Shared Event Loop
  12. 12. FIFO queue Dispatcher time e0 Shared Event Loop
  13. 13. FIFO queue Dispatcher time e0 Shared Event Loop
  14. 14. FIFO queue Dispatcher time e1 e0 Shared Event Loop
  15. 15. FIFO queue Dispatcher time e1 e0 Shared Event Loop
  16. 16. FIFO queue Dispatcher time e0 e1 Shared Event Loop
  17. 17. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  18. 18. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  19. 19. FIFO queue Dispatcher time e0 e2 e1 Shared Event Loop
  20. 20. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  21. 21. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  22. 22. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  23. 23. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  24. 24. FIFO queue Dispatcher time e0 e1 e3 e2 Shared Event Loop
  25. 25. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  26. 26. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  27. 27. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
  28. 28. FIFO queue Dispatcher time e0 e1 e2 e4 e3 Shared Event Loop
  29. 29. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
  30. 30. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
  31. 31. FIFO queue Dispatcher time d0 d1 d2 d3 e0 e1 e2 e3 e4 Shared Event Loop
  32. 32. FIFO queue Dispatcher time Event-delay trace d0 d1 d2 d3 e0 e1 e2 e3 e4 Shared Event Loop
  33. 33. SYSTEM/INTERNET
  34. 34. HOST PROCESS SYSTEM/INTERNET
  35. 35. HOST PROCESS SYSTEM/INTERNET • NETWORK REQUESTS • IPC COMMUNICATION • DISPATCHES USER ACTIONS
  36. 36. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 | SHARED BETWEEN ALL RENDERERS
  37. 37. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 |
  38. 38. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 | evil.com
  39. 39. <script>
 function loop () { save(performance.now()); fetch(new Request("http://0/")) .catch(loop); } loop(); </script> Timing resolution of ~500 μs Spying on the Host
  40. 40. Timing resolution of ~500 μs With some smarter techniques we obtain <100 μs
 (see the paper) <script>
 function loop () { save(performance.now()); fetch(new Request("http://0/")) .catch(loop); } loop(); </script> Spying on the Host
  41. 41. HOST PROCESS SYSTEM/INTERNET RENDERER 1 tab1 | trusted.com
  42. 42. HOST PROCESS SYSTEM/INTERNET RENDERER 1 • JAVASCRIPT EXECUTION • RESOURCE PARSING • LAYOUT & RENDERING tab1 | trusted.com
  43. 43. HOST PROCESS SYSTEM/INTERNET RENDERER 1 iframe | SHARED BETWEEN IFRAMES, POPUPS, MAX #RENDERER EXCEEDED… tab1 | trusted.com
  44. 44. HOST PROCESS SYSTEM/INTERNET RENDERER 1 iframe | evil.co tab1 | trusted.com
  45. 45. <script>
 function loop() { save(performance.now()); self.postMessage(0, "*"); } self.onmessage = loop; loop(); </script> Timing resolution of <25 μs Spying on the Renderer
  46. 46. Duration of Events in the Renderer 
 loop() GC scavenge Mouse movement JS event handlers μ-arch events 25 μs 100 μs <1 ms >2 ms<5μs
  47. 47. Duration of Events Responsive code is harder to identify 
 loop() GC scavenge Mouse movement JS event handlers μ-arch events 25 μs 100 μs <1 ms >2 ms<5μs
  48. 48. LoopScan Tool https://github.com/cgvwzq/loopscan
  49. 49. Web Page Identification & Inter-keystroke Timing
  50. 50. Web Page Identification Monitor the EventLoop while page loading
  51. 51. Dynamic Time Warping DTW is resistant to delays in the occurrence of events
  52. 52. Dynamic Time Warping DTW is resistant to delays in the occurrence of events 2-4 seconds of measuring
  53. 53. Dynamic Time Warping DTW is resistant to delays in the occurrence of events 2-4 seconds of measuring One trace for training
  54. 54. Web Page Identification 500 pages x 30 traces x 3 machines x 2 event loops Renderer’s main thread: Host’s I/O thread: 75% 23% (Linux desktop) (Macbook Pro) (recognition rates below 5% across machines) R-library and datasets:
 https://github.com/cgvwzq/rlang-loophole
  55. 55. Inter-keystroke Timing 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 We obtain the password length and
 time between consecutive pressed keys
  56. 56. Inter-keystroke Timing 10.000 passwords 90% accuracy precision: σ = 6.1 ms
  57. 57. Inter-keystroke Timing More precision than network based attacks. Less noise than in micro-architectural attacks. No privileges. No training. 10.000 passwords 90% accuracy precision: σ = 6.1 ms
  58. 58. Countermeasures • Reduce clock resolution • Site Isolation Project • CPU throttling • Rate limiting
  59. 59. Countermeasures • Reduce clock resolution • Site Isolation Project • CPU throttling • Rate limiting
  60. 60. Conclusions • Shared event loops in Chrome are vulnerable to timing side-channels • We systematically study how this channel can be used for different attacks • Fundamental design issues that need to be addressed
  61. 61. 62 Thank you! :) Questions?

Presentation at 26th USENIX Security Symposium

Views

Total views

529

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

6

Shares

0

Comments

0

Likes

0

×