New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 508166 link

Starred by 10 users

Issue metadata

Status: Untriaged
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: ----



Sign in to add a comment

Security: Chrome provides high-res timers which allow cache side channel attacks

Project Member Reported by mseaborn@chromium.org, Jul 8 2015

Issue description

High-resolution timers (e.g. nanosecond resolution) allow cache-based side channel attacks, such as those described in the paper "The Spy in the Sandbox -- Practical Cache Attacks in Javascript" (http://arxiv.org/abs/1502.07373).

For example, key press handling code produces a detectable signature of accesses to L3 cache sets.  An attacker can use timings to deduce when the user is pressing keys.

For  issue 506723 , we've reduced the resolution of performance.now() as a mitigation.

However, performance.now() is not the only high-resolution timer available in Chrome on the web.  PNaCl also provides one via clock_gettime().

While we could reduce the resolution of clock_gettime() under PNaCl too, that wouldn't help much, because PNaCl allows multi-threading, and it's easy to build your own high-res timer by creating a thread that increments a memory location in a tight loop.

Similar multi-threading support is proposed to be added to Blink soon via Shared Array Buffers, which adds shared-memory concurrency to Javascript Web Workers.  See  issue 497295 , https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/d-0ibJwCS24 and https://www.chromestatus.com/feature/4570991992766464.

Finding a solution is a research problem and may well be infeasible.  I doubt this should block Shared Array Buffers, but we should bear it in mind.  I'm filing this for completeness (and as requested on  issue 506723 ).
 

Comment 1 by jln@chromium.org, Jul 8 2015

Cc: jln@chromium.org
Labels: -Type-Bug-Security Cr-Security
Status: Available
I'm removing this from the security bugs list (which is a "do something now" list) and moving it to a security features label.

Comment 2 by i...@oy.ne.ro, Jul 15 2015

Hi, I have a PoC of the "Spy in the Sandbox" attack that works based on Shared Array Buffers instead of via high-resolution timing. Is there any way to upload it here without releasing it to the world-wide web?
@#2: There isn't a way to privately upload the PoC to this issue without making this issue private first.  You could create a new private issue, but I don't think that would fit the workflow of those who triage Chrome security issues.

Really, I would recommend that you just make the PoC public.  I think that would help defenders more than attackers.

If an attacker wants to use this attack, they can already implement the technique that's publicly described in your "Spy in the Sandbox" paper.  It would be straightforward to adapt it to use a multi-threaded timer.

Releasing the PoC would make it easier for defenders to judge the degree of the problem and provide more incentive for finding mitigations.
I filed an issue on the SharedArrayBuffers spec: https://github.com/lars-t-hansen/ecmascript_sharedmem/issues/1

Comment 5 by jln@chromium.org, Jul 24 2015

If you wanted to share something privately with Chrome security, you could use security@chromium.org, which is private. Note that it's not private to Google though, some non-Google employees working on security have access there.

However I strongly agree with mseaborn@ that making this public will be more beneficial to security and allow everyone to collaborate on this issue.

Comment 6 by i...@oy.ne.ro, Jul 26 2015

Here's a CodePen that provides a basic high-resolution timer polyfill based on SharedArrayBuffers. Its resolution is on the order of 0.3ns. Tested on Firefox Nightly (built from https://hg.mozilla.org/mozilla-central/rev/72835344333f )

http://codepen.io/yossioren/pen/LVBNMR

Comment 7 by f...@chromium.org, Oct 7 2015

Issue 539390 has been merged into this issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 6 2016

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue.
The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Re-evaluated successfully by Spectre and Meldown)))

Sign in to add a comment