Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Loophole: Timing Attacks on Shared Event Loops in Chrome

325 views

Published on

Presentation at 26th USENIX Security Symposium

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Loophole: Timing Attacks on Shared Event Loops in Chrome

  1. 1. Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Köpf vwzq.net @cgvwzq github.com/cgvwzq
  2. 2. EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW
  3. 3. EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW
  4. 4. Source: http://berb.github.io/diploma-thesis/original/042_serverarch.html
  5. 5. We exploit 2 different shared Event Loops in Chrome:
  6. 6. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
  7. 7. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement 3 different attacks:
  8. 8. Page Identification And implement 3 different attacks: We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
  9. 9. And implement 3 different attacks: 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 Inter-keystroke Timing Page Identification We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers
  10. 10. We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement 3 different attacks: Page Identification Covert Channel 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 Inter-keystroke Timing
  11. 11. FIFO queue Dispatcher time Shared Event Loop
  12. 12. FIFO queue Dispatcher time e0 Shared Event Loop
  13. 13. FIFO queue Dispatcher time e0 Shared Event Loop
  14. 14. FIFO queue Dispatcher time e1 e0 Shared Event Loop
  15. 15. FIFO queue Dispatcher time e1 e0 Shared Event Loop
  16. 16. FIFO queue Dispatcher time e0 e1 Shared Event Loop
  17. 17. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  18. 18. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  19. 19. FIFO queue Dispatcher time e0 e2 e1 Shared Event Loop
  20. 20. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  21. 21. FIFO queue Dispatcher time e0 e1 e2 Shared Event Loop
  22. 22. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  23. 23. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  24. 24. FIFO queue Dispatcher time e0 e1 e3 e2 Shared Event Loop
  25. 25. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  26. 26. FIFO queue Dispatcher time e0 e1 e2 e3 Shared Event Loop
  27. 27. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
  28. 28. FIFO queue Dispatcher time e0 e1 e2 e4 e3 Shared Event Loop
  29. 29. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
  30. 30. FIFO queue Dispatcher time e0 e1 e2 e3 e4 Shared Event Loop
  31. 31. FIFO queue Dispatcher time d0 d1 d2 d3 e0 e1 e2 e3 e4 Shared Event Loop
  32. 32. FIFO queue Dispatcher time Event-delay trace d0 d1 d2 d3 e0 e1 e2 e3 e4 Shared Event Loop
  33. 33. SYSTEM/INTERNET
  34. 34. HOST PROCESS SYSTEM/INTERNET
  35. 35. HOST PROCESS SYSTEM/INTERNET • NETWORK REQUESTS • IPC COMMUNICATION • DISPATCHES USER ACTIONS
  36. 36. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 | SHARED BETWEEN ALL RENDERERS
  37. 37. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 |
  38. 38. HOST PROCESS SYSTEM/INTERNET RENDERER 1 RENDERER 2 tab1 | trusted.com tab 2 | evil.com
  39. 39. <script>
 function loop () { save(performance.now()); fetch(new Request("http://0/")) .catch(loop); } loop(); </script> Timing resolution of ~500 μs Spying on the Host
  40. 40. Timing resolution of ~500 μs With some smarter techniques we obtain <100 μs
 (see the paper) <script>
 function loop () { save(performance.now()); fetch(new Request("http://0/")) .catch(loop); } loop(); </script> Spying on the Host
  41. 41. HOST PROCESS SYSTEM/INTERNET RENDERER 1 tab1 | trusted.com
  42. 42. HOST PROCESS SYSTEM/INTERNET RENDERER 1 • JAVASCRIPT EXECUTION • RESOURCE PARSING • LAYOUT & RENDERING tab1 | trusted.com
  43. 43. HOST PROCESS SYSTEM/INTERNET RENDERER 1 iframe | SHARED BETWEEN IFRAMES, POPUPS, MAX #RENDERER EXCEEDED… tab1 | trusted.com
  44. 44. HOST PROCESS SYSTEM/INTERNET RENDERER 1 iframe | evil.co tab1 | trusted.com
  45. 45. <script>
 function loop() { save(performance.now()); self.postMessage(0, "*"); } self.onmessage = loop; loop(); </script> Timing resolution of <25 μs Spying on the Renderer
  46. 46. Duration of Events in the Renderer 
 loop() GC scavenge Mouse movement JS event handlers μ-arch events 25 μs 100 μs <1 ms >2 ms<5μs
  47. 47. Duration of Events Responsive code is harder to identify 
 loop() GC scavenge Mouse movement JS event handlers μ-arch events 25 μs 100 μs <1 ms >2 ms<5μs
  48. 48. LoopScan Tool https://github.com/cgvwzq/loopscan
  49. 49. Web Page Identification & Inter-keystroke Timing
  50. 50. Web Page Identification Monitor the EventLoop while page loading
  51. 51. Dynamic Time Warping DTW is resistant to delays in the occurrence of events
  52. 52. Dynamic Time Warping DTW is resistant to delays in the occurrence of events 2-4 seconds of measuring
  53. 53. Dynamic Time Warping DTW is resistant to delays in the occurrence of events 2-4 seconds of measuring One trace for training
  54. 54. Web Page Identification 500 pages x 30 traces x 3 machines x 2 event loops Renderer’s main thread: Host’s I/O thread: 75% 23% (Linux desktop) (Macbook Pro) (recognition rates below 5% across machines) R-library and datasets:
 https://github.com/cgvwzq/rlang-loophole
  55. 55. Inter-keystroke Timing 19780.000 19785.000 19790.000 19795.000 19800.000 19805.000 0.02 0.04 0.06 0.10 0.20 0.40 1.00 2.00 4.00 10.00 We obtain the password length and
 time between consecutive pressed keys
  56. 56. Inter-keystroke Timing 10.000 passwords 90% accuracy precision: σ = 6.1 ms
  57. 57. Inter-keystroke Timing More precision than network based attacks. Less noise than in micro-architectural attacks. No privileges. No training. 10.000 passwords 90% accuracy precision: σ = 6.1 ms
  58. 58. Countermeasures • Reduce clock resolution • Site Isolation Project • CPU throttling • Rate limiting
  59. 59. Countermeasures • Reduce clock resolution • Site Isolation Project • CPU throttling • Rate limiting
  60. 60. Conclusions • Shared event loops in Chrome are vulnerable to timing side-channels • We systematically study how this channel can be used for different attacks • Fundamental design issues that need to be addressed
  61. 61. 62 Thank you! :) Questions?

×