New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 10 users

Issue metadata

Status: Untriaged
Owner: ----
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: ----

Sign in to add a comment

Issue 508166: Security: Chrome provides high-res timers which allow cache side channel attacks

Reported by, Jul 8 2015 Project Member

Issue description

High-resolution timers (e.g. nanosecond resolution) allow cache-based side channel attacks, such as those described in the paper "The Spy in the Sandbox -- Practical Cache Attacks in Javascript" (

For example, key press handling code produces a detectable signature of accesses to L3 cache sets.  An attacker can use timings to deduce when the user is pressing keys.

For  issue 506723 , we've reduced the resolution of as a mitigation.

However, is not the only high-resolution timer available in Chrome on the web.  PNaCl also provides one via clock_gettime().

While we could reduce the resolution of clock_gettime() under PNaCl too, that wouldn't help much, because PNaCl allows multi-threading, and it's easy to build your own high-res timer by creating a thread that increments a memory location in a tight loop.

Similar multi-threading support is proposed to be added to Blink soon via Shared Array Buffers, which adds shared-memory concurrency to Javascript Web Workers.  See  issue 497295 ,!topic/blink-dev/d-0ibJwCS24 and

Finding a solution is a research problem and may well be infeasible.  I doubt this should block Shared Array Buffers, but we should bear it in mind.  I'm filing this for completeness (and as requested on  issue 506723 ).

Comment 1 by, Jul 8 2015

Labels: -Type-Bug-Security Cr-Security
Status: Available
I'm removing this from the security bugs list (which is a "do something now" list) and moving it to a security features label.

Comment 2 by, Jul 15 2015

Hi, I have a PoC of the "Spy in the Sandbox" attack that works based on Shared Array Buffers instead of via high-resolution timing. Is there any way to upload it here without releasing it to the world-wide web?

Comment 3 by, Jul 18 2015

@#2: There isn't a way to privately upload the PoC to this issue without making this issue private first.  You could create a new private issue, but I don't think that would fit the workflow of those who triage Chrome security issues.

Really, I would recommend that you just make the PoC public.  I think that would help defenders more than attackers.

If an attacker wants to use this attack, they can already implement the technique that's publicly described in your "Spy in the Sandbox" paper.  It would be straightforward to adapt it to use a multi-threaded timer.

Releasing the PoC would make it easier for defenders to judge the degree of the problem and provide more incentive for finding mitigations.

Comment 4 by, Jul 24 2015

I filed an issue on the SharedArrayBuffers spec:

Comment 5 by, Jul 24 2015

If you wanted to share something privately with Chrome security, you could use, which is private. Note that it's not private to Google though, some non-Google employees working on security have access there.

However I strongly agree with mseaborn@ that making this public will be more beneficial to security and allow everyone to collaborate on this issue.

Comment 6 by, Jul 26 2015

Here's a CodePen that provides a basic high-resolution timer polyfill based on SharedArrayBuffers. Its resolution is on the order of 0.3ns. Tested on Firefox Nightly (built from )

Comment 7 by, Oct 7 2015

Issue 539390 has been merged into this issue.

Comment 8 by, Oct 6 2016

Project Member
Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue.
The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue.

For more details visit - Your friendly Sheriffbot

Comment 9 by, Jan 8 2018

Re-evaluated successfully by Spectre and Meldown)))

Sign in to add a comment