Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Loophole: Timing Attacks on Shared Event Loops in Chrome

46 views

Published on

Event-driven programming (EDP) is the prevalent paradigm for graphical user interfaces, web clients, and it is rapidly gaining importance for server-side and network programming. Central components of EDP are event loops, which act as FIFO queues that are used by processes to store and dispatch messages received from other processes. In this talk we demonstrate that shared event loops are vulnerable to side-channel attacks, where a spy process monitors the loop usage pattern of other processes by enqueueing events and measuring the time it takes for them to be dispatched. Specifically, we exhibit attacks against two central event loops in Google's Chrome web browser: that of the I/O thread of the host process, which multiplexes all network events and user actions, and that of the main thread of the renderer processes, which handles rendering and Javascript tasks. For each of these event loops, we demonstrate how the usage pattern can be monitored with high resolution and low overhead, and we show how the extracted information can be leveraged for (1) identifying a web page during the loading phase (where we achieve recognition rates of up to 65% among 500 main pages from Alexa's Top sites), for (2) implementing cross origin covert channels (where we achieve transmission rates of up to 200 bit/s), and for (3) visually identifying user behavior such as mouse movements or keystrokes.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Loophole: Timing Attacks on Shared Event Loops in Chrome

  1. 1. Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22
  2. 2. Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole November 22, 2016 2 / 22
  3. 3. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  4. 4. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  5. 5. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages Examples: Nginx, Node.js or memcached Used for message passing: inter-(thread | process) communication HTML5 standard 1 mandates user agents to use EDP: 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  6. 6. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop Pepe Vila Loophole November 22, 2016 4 / 22
  7. 7. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } Pepe Vila Loophole November 22, 2016 4 / 22
  8. 8. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Pepe Vila Loophole November 22, 2016 4 / 22
  9. 9. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Pepe Vila Loophole November 22, 2016 4 / 22
  10. 10. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Simple concurrency model for programmers Pepe Vila Loophole November 22, 2016 4 / 22
  11. 11. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: Pepe Vila Loophole November 22, 2016 5 / 22
  12. 12. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: when shared between mutually distrusting programs Pepe Vila Loophole November 22, 2016 5 / 22
  13. 13. Our work (in poetry) “Loophole” Exploit a timing side-channel in the Chrome web browser to break user privacy using machine learning techniques - Abraham Lincoln Pepe Vila Loophole November 22, 2016 6 / 22
  14. 14. Chrome’s architecture Same Origin Policy (SOP) Multi-process Shared event loops Pepe Vila Loophole November 22, 2016 7 / 22
  15. 15. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Pepe Vila Loophole November 22, 2016 8 / 22
  16. 16. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Origin 1 Origin 2 http://example.com:8080 http://example.com http://mail.example.com http://app.example.com https://foo.example.com https://foo.example.com https://example.com http://example.com Pepe Vila Loophole November 22, 2016 8 / 22
  17. 17. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  18. 18. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  19. 19. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 DEMO: Chrome’s task manager 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  20. 20. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme Pepe Vila Loophole November 22, 2016 10 / 22
  21. 21. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Pepe Vila Loophole November 22, 2016 10 / 22
  22. 22. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Pepe Vila Loophole November 22, 2016 10 / 22
  23. 23. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Sharing the host process One for all renderers IPC through I/O thread Pepe Vila Loophole November 22, 2016 10 / 22
  24. 24. Spying on shared event loops Main thread of a renderer I/O thread of the host process Pepe Vila Loophole November 22, 2016 11 / 22
  25. 25. Spying on shared event loops Main thread of renderer processes Pepe Vila Loophole November 22, 2016 12 / 22
  26. 26. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks Pepe Vila Loophole November 22, 2016 12 / 22
  27. 27. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Pepe Vila Loophole November 22, 2016 12 / 22
  28. 28. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Some tasks are very fast (<< 0.1 ms). We need high timing resolution. Pepe Vila Loophole November 22, 2016 12 / 22
  29. 29. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task Pepe Vila Loophole November 22, 2016 13 / 22
  30. 30. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task 1 Generates a trace of timing measurements 2 Resolution ≈ 25 µs Pepe Vila Loophole November 22, 2016 13 / 22
  31. 31. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Pepe Vila Loophole November 22, 2016 14 / 22
  32. 32. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms Pepe Vila Loophole November 22, 2016 14 / 22
  33. 33. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms 2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D Pepe Vila Loophole November 22, 2016 14 / 22
  34. 34. Attacks Covert channel Web page fingerprinting User action detection Pepe Vila Loophole November 22, 2016 15 / 22
  35. 35. Attacks: covert channel Covert-channel using timing differences bandwidth of 200 bit/s on same renderer, and 5 bit/s across processes VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI Pepe Vila Loophole November 22, 2016 16 / 22
  36. 36. Attacks: web page fingerprinting Pepe Vila Loophole November 22, 2016 17 / 22
  37. 37. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Pepe Vila Loophole November 22, 2016 17 / 22
  38. 38. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Pepe Vila Loophole November 22, 2016 17 / 22
  39. 39. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Pepe Vila Loophole November 22, 2016 17 / 22
  40. 40. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Cost O(n · m) → We use Lemire’s lower bound. Pepe Vila Loophole November 22, 2016 17 / 22
  41. 41. Attacks: web page fingerprinting Figure: Warping matrix with optimal alignment between two time series Pepe Vila Loophole November 22, 2016 18 / 22
  42. 42. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites Pepe Vila Loophole November 22, 2016 19 / 22
  43. 43. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) Pepe Vila Loophole November 22, 2016 19 / 22
  44. 44. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training Pepe Vila Loophole November 22, 2016 19 / 22
  45. 45. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values Pepe Vila Loophole November 22, 2016 19 / 22
  46. 46. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values k-fold cross-validation Pepe Vila Loophole November 22, 2016 19 / 22
  47. 47. Attacks: web page fingerprinting Renderer results: 65% Figure: Matching rates with best configuration and multiple tolerance Host process results: 25% Figure: Matching rates with multiple configurations and tolerance Pepe Vila Loophole November 22, 2016 20 / 22
  48. 48. Attacks: user action detection LoopScan tool for visualizing event loops in real-time “see” mouse movement, scrolling, clicks or keystrokes in other tabs DEMO: http://vwzq.net/lab/ioloop/monitor.html Pepe Vila Loophole November 22, 2016 21 / 22
  49. 49. Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Pepe Vila Loophole November 22, 2016 22 / 22
  50. 50. Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Future work: - automatize event recognition (online learning) - pattern used by ALL modern browsers - lots of tecnologies relying on event loops Pepe Vila Loophole November 22, 2016 22 / 22
  51. 51. Thank you. Questions? Pepe Vila Loophole November 22, 2016 22 / 22

×