Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Loophole
Timing Attacks on Shared Event Loops in Chrome
Pepe Vila
November 22, 2016
Pepe Vila Loophole November 22, 2016 1...
Introduction
Event-driven programming
Event loops
A timing side-channel on event loops
Pepe Vila Loophole November 22, 201...
Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks and
server-side
1
http...
Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks and
server-side
The flo...
Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks and
server-side
The flo...
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
Pepe Vila Loophole November 22, 2016 4...
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while...
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while...
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while...
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while...
Introduction: A timing side-channel on event loops
Event loops are susceptible to timing side-channel attacks:
Pepe Vila L...
Introduction: A timing side-channel on event loops
Event loops are susceptible to timing side-channel attacks:
when shared...
Our work (in poetry)
“Loophole”
Exploit a timing side-channel
in the Chrome web browser
to break user privacy
using machin...
Chrome’s architecture
Same Origin Policy (SOP)
Multi-process
Shared event loops
Pepe Vila Loophole November 22, 2016 7 / 22
Chrome’s architecture: Same Origin Policy (SOP)
Central concept in the web security model
Script from a site A can not acc...
Chrome’s architecture: Same Origin Policy (SOP)
Central concept in the web security model
Script from a site A can not acc...
Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
2
Chrome’s implementation of...
Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple th...
Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple th...
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: pro...
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: pro...
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: pro...
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: pro...
Spying on shared event loops
Main thread of a renderer
I/O thread of the host process
Pepe Vila Loophole November 22, 2016...
Spying on shared event loops
Main thread of renderer processes
Pepe Vila Loophole November 22, 2016 12 / 22
Spying on shared event loops
Main thread of renderer processes
runs resource parsing, style calculation, layout, painting ...
Spying on shared event loops
Main thread of renderer processes
runs resource parsing, style calculation, layout, painting ...
Spying on shared event loops
Main thread of renderer processes
runs resource parsing, style calculation, layout, painting ...
Spying on shared event loops: renderer’s main thread
Monitor the event loop from an arbitrary HTML page running Javascript...
Spying on shared event loops: renderer’s main thread
Monitor the event loop from an arbitrary HTML page running Javascript...
Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop () {...
Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop () {...
Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop () {...
Attacks
Covert channel
Web page fingerprinting
User action detection
Pepe Vila Loophole November 22, 2016 15 / 22
Attacks: covert channel
Covert-channel using timing differences
bandwidth of 200 bit/s on same renderer,
and 5 bit/s across...
Attacks: web page fingerprinting
Pepe Vila Loophole November 22, 2016 17 / 22
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ...
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ...
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ...
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ...
Attacks: web page fingerprinting
Figure: Warping matrix with optimal alignment between two time series
Pepe Vila Loophole N...
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
Pepe Vila Loophole November 22, 2016 19 ...
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread...
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread...
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread...
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread...
Attacks: web page fingerprinting
Renderer results: 65%
Figure: Matching rates with best
configuration and multiple tolerance...
Attacks: user action detection
LoopScan tool for visualizing event loops in real-time
“see” mouse movement, scrolling, cli...
Conclusions
Resource sharing is dangerous
It is possible to spy other tabs/pages in the same browser
Machine learning is u...
Conclusions
Resource sharing is dangerous
It is possible to spy other tabs/pages in the same browser
Machine learning is u...
Thank you. Questions?
Pepe Vila Loophole November 22, 2016 22 / 22
Upcoming SlideShare
Loading in …5
×

Loophole: Timing Attacks on Shared Event Loops in Chrome

75 views

Published on

Event-driven programming (EDP) is the prevalent paradigm for graphical user interfaces, web clients, and it is rapidly gaining importance for server-side and network programming. Central components of EDP are event loops, which act as FIFO queues that are used by processes to store and dispatch messages received from other processes. In this talk we demonstrate that shared event loops are vulnerable to side-channel attacks, where a spy process monitors the loop usage pattern of other processes by enqueueing events and measuring the time it takes for them to be dispatched. Specifically, we exhibit attacks against two central event loops in Google's Chrome web browser: that of the I/O thread of the host process, which multiplexes all network events and user actions, and that of the main thread of the renderer processes, which handles rendering and Javascript tasks. For each of these event loops, we demonstrate how the usage pattern can be monitored with high resolution and low overhead, and we show how the extracted information can be leveraged for (1) identifying a web page during the loading phase (where we achieve recognition rates of up to 65% among 500 main pages from Alexa's Top sites), for (2) implementing cross origin covert channels (where we achieve transmission rates of up to 200 bit/s), and for (3) visually identifying user behavior such as mouse movements or keystrokes.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Loophole: Timing Attacks on Shared Event Loops in Chrome

  1. 1. Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22
  2. 2. Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole November 22, 2016 2 / 22
  3. 3. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  4. 4. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  5. 5. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages Examples: Nginx, Node.js or memcached Used for message passing: inter-(thread | process) communication HTML5 standard 1 mandates user agents to use EDP: 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  6. 6. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop Pepe Vila Loophole November 22, 2016 4 / 22
  7. 7. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } Pepe Vila Loophole November 22, 2016 4 / 22
  8. 8. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Pepe Vila Loophole November 22, 2016 4 / 22
  9. 9. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Pepe Vila Loophole November 22, 2016 4 / 22
  10. 10. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Simple concurrency model for programmers Pepe Vila Loophole November 22, 2016 4 / 22
  11. 11. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: Pepe Vila Loophole November 22, 2016 5 / 22
  12. 12. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: when shared between mutually distrusting programs Pepe Vila Loophole November 22, 2016 5 / 22
  13. 13. Our work (in poetry) “Loophole” Exploit a timing side-channel in the Chrome web browser to break user privacy using machine learning techniques - Abraham Lincoln Pepe Vila Loophole November 22, 2016 6 / 22
  14. 14. Chrome’s architecture Same Origin Policy (SOP) Multi-process Shared event loops Pepe Vila Loophole November 22, 2016 7 / 22
  15. 15. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Pepe Vila Loophole November 22, 2016 8 / 22
  16. 16. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Origin 1 Origin 2 http://example.com:8080 http://example.com http://mail.example.com http://app.example.com https://foo.example.com https://foo.example.com https://example.com http://example.com Pepe Vila Loophole November 22, 2016 8 / 22
  17. 17. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  18. 18. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  19. 19. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 DEMO: Chrome’s task manager 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  20. 20. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme Pepe Vila Loophole November 22, 2016 10 / 22
  21. 21. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Pepe Vila Loophole November 22, 2016 10 / 22
  22. 22. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Pepe Vila Loophole November 22, 2016 10 / 22
  23. 23. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Sharing the host process One for all renderers IPC through I/O thread Pepe Vila Loophole November 22, 2016 10 / 22
  24. 24. Spying on shared event loops Main thread of a renderer I/O thread of the host process Pepe Vila Loophole November 22, 2016 11 / 22
  25. 25. Spying on shared event loops Main thread of renderer processes Pepe Vila Loophole November 22, 2016 12 / 22
  26. 26. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks Pepe Vila Loophole November 22, 2016 12 / 22
  27. 27. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Pepe Vila Loophole November 22, 2016 12 / 22
  28. 28. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Some tasks are very fast (<< 0.1 ms). We need high timing resolution. Pepe Vila Loophole November 22, 2016 12 / 22
  29. 29. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task Pepe Vila Loophole November 22, 2016 13 / 22
  30. 30. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task 1 Generates a trace of timing measurements 2 Resolution ≈ 25 µs Pepe Vila Loophole November 22, 2016 13 / 22
  31. 31. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Pepe Vila Loophole November 22, 2016 14 / 22
  32. 32. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms Pepe Vila Loophole November 22, 2016 14 / 22
  33. 33. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms 2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D Pepe Vila Loophole November 22, 2016 14 / 22
  34. 34. Attacks Covert channel Web page fingerprinting User action detection Pepe Vila Loophole November 22, 2016 15 / 22
  35. 35. Attacks: covert channel Covert-channel using timing differences bandwidth of 200 bit/s on same renderer, and 5 bit/s across processes VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI Pepe Vila Loophole November 22, 2016 16 / 22
  36. 36. Attacks: web page fingerprinting Pepe Vila Loophole November 22, 2016 17 / 22
  37. 37. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Pepe Vila Loophole November 22, 2016 17 / 22
  38. 38. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Pepe Vila Loophole November 22, 2016 17 / 22
  39. 39. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Pepe Vila Loophole November 22, 2016 17 / 22
  40. 40. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Cost O(n · m) → We use Lemire’s lower bound. Pepe Vila Loophole November 22, 2016 17 / 22
  41. 41. Attacks: web page fingerprinting Figure: Warping matrix with optimal alignment between two time series Pepe Vila Loophole November 22, 2016 18 / 22
  42. 42. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites Pepe Vila Loophole November 22, 2016 19 / 22
  43. 43. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) Pepe Vila Loophole November 22, 2016 19 / 22
  44. 44. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training Pepe Vila Loophole November 22, 2016 19 / 22
  45. 45. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values Pepe Vila Loophole November 22, 2016 19 / 22
  46. 46. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values k-fold cross-validation Pepe Vila Loophole November 22, 2016 19 / 22
  47. 47. Attacks: web page fingerprinting Renderer results: 65% Figure: Matching rates with best configuration and multiple tolerance Host process results: 25% Figure: Matching rates with multiple configurations and tolerance Pepe Vila Loophole November 22, 2016 20 / 22
  48. 48. Attacks: user action detection LoopScan tool for visualizing event loops in real-time “see” mouse movement, scrolling, clicks or keystrokes in other tabs DEMO: http://vwzq.net/lab/ioloop/monitor.html Pepe Vila Loophole November 22, 2016 21 / 22
  49. 49. Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Pepe Vila Loophole November 22, 2016 22 / 22
  50. 50. Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Future work: - automatize event recognition (online learning) - pattern used by ALL modern browsers - lots of tecnologies relying on event loops Pepe Vila Loophole November 22, 2016 22 / 22
  51. 51. Thank you. Questions? Pepe Vila Loophole November 22, 2016 22 / 22

×