The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications

@article{Oren2015TheSI,
  title={The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications},
  author={Yossef Oren and Vasileios P. Kemerlis and Simha Sethumadhavan and Angelos D. Keromytis},
  journal={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
  year={2015}
}
  • Y. Oren, V. P. Kemerlis, +1 author A. Keromytis
  • Published 25 February 2015
  • Computer Science
  • Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
We present a micro-architectural side-channel attack that runs entirely in the browser. In contrast to previous work in this genre, our attack does not require the attacker to install software on the victim's machine; to facilitate the attack, the victim needs only to browse to an untrusted webpage that contains attacker-controlled content. This makes our attack model highly scalable, and extremely relevant and practical to today's Web, as most desktop browsers currently used to access the… Expand
Malware Guard Extension: abusing Intel SGX to conceal cache attacks
TLDR
This paper demonstrates fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves and is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Expand
Practical Memory Deduplication Attacks in Sandboxed Javascript
TLDR
This work presents the first memory-disclosure attack in sandboxed Javascript which exploits page deduplication, and is not only able to determine which applications are running, but also specific user activities, for instance, whether the user has specific websites currently opened. Expand
Deterministic Browser
TLDR
A novel approach, called deterministic browser, is proposed, which can provably prevent timing attacks in modern browsers and is implemented called DeterFox, and the evaluation shows that the prototype can defend against browser-related timing attacks. Expand
Throwhammer: Rowhammer Attacks over the Network and Defenses
TLDR
This paper shows that an attacker can trigger and exploit Rowhammer bit flips directly from a remote machine by only sending network packets, and proposes protecting unmodified applications with a new buffer allocator that is capable of fine-grained memory isolation in the DRAM address space. Expand
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
TLDR
A new way to parallelize Bleichenbacher-like padding attacks by exploiting any available number of TLS servers that share the same public key certificate is described, which can be of independent interest, speeding up and facilitating other side channel attacks on RSA implementations. Expand
Keep the PokerFace on! Thwarting cache side channel attacks by memory bus monitoring and cache obfuscation
TLDR
This approach allows us to identify suspicious cache accesses automatically, without prior knowledge about the system or access to hardware metrics, and show that it is practically useful against a variety of cache timing attacks. Expand
Request and Conquer: Exposing Cross-Origin Resource Size
TLDR
This in-depth analysis finds several design flaws in the storage mechanisms of browsers, which allows an adversary to expose the exact size of any resource in mere seconds, and reports on a novel size-exposing technique against Wi-Fi networks. Expand
Practical Keystroke Timing Attacks in Sandboxed JavaScript ( updated )
Keystrokes trigger interrupts which can be detected through software side channels to reconstruct keystroke timings. Keystroke timing attacks use these side channels to infer typed words,Expand
SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers
TLDR
It is shown that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitec-tural side-channel attacks with a higher bandwidth than what was possible just two years ago. Expand
Dragonblood is Still Leaking: Practical Cache-based Side-Channel in the Wild
TLDR
This work took advantage of state-of-the-art techniques to extend the original attack, demonstrating that it is able to recover the password with only a third of the measurements needed in Dragonblood attack, and advises the use of a branch-free implementation as a mitigation technique, as what was used in hostapd. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 49 REFERENCES
Cache Attacks and Countermeasures: The Case of AES
TLDR
An extremely strong type of attack is demonstrated, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. Expand
FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
TLDR
This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round. Expand
Cross-VM side channels and their use to extract private keys
TLDR
This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victims using the most recent version of the libgcrypt cryptographic library. Expand
Cross-Tenant Side-Channel Attacks in PaaS Clouds
TLDR
These attacks are the first granular, cross-tenant, side-channel attacks successfully demonstrated on state-of-the-art commercial clouds, PaaS or otherwise. Expand
All Your iFRAMEs Point to Us
TLDR
The relationship between the user browsing habits and exposure to malware, the techniques used to lure the user into the malware distribution networks, and the different properties of these networks are studied. Expand
Memento: Learning Secrets from Process Footprints
TLDR
This work shows how an unprivileged, local attack process - for example, a malicious Android app - can infer which page the user is browsing, as well as finer-grained information: whether she is a paid customer, her interests, etc. Expand
Wait a Minute! A fast, Cross-VM Attack on AES
TLDR
The results of this study show that there is a great security risk to OpenSSL AES implementation running on VMware cloud services when the deduplication is not disabled. Expand
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
TLDR
It is found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search, suggesting the scope of the problem seems industry-wide. Expand
C5: Cross-Cores Cache Covert Channel
TLDR
C5 is built, a covert channel that tackles addressing uncertainty without requiring any shared memory, making the covert channel fast and practical and one order of magnitude above previous cache-based covert channels in the same setup. Expand
Last-Level Cache Side-Channel Attacks are Practical
TLDR
This work presents an effective implementation of the Prime+Probe side-channel attack against the last-level cache of GnuPG, and achieves a high attack resolution without relying on weaknesses in the OS or virtual machine monitor or on sharing memory between attacker and victim. Expand
...
1
2
3
4
5
...