Security: Chrome provides high-res timers which allow cache side channel attacks
Project Member Reported by email@example.com, Jul 8 2015
Jul 8 2015,
I'm removing this from the security bugs list (which is a "do something now" list) and moving it to a security features label.
Jul 15 2015,
Hi, I have a PoC of the "Spy in the Sandbox" attack that works based on Shared Array Buffers instead of via high-resolution timing. Is there any way to upload it here without releasing it to the world-wide web?
Jul 18 2015,
@#2: There isn't a way to privately upload the PoC to this issue without making this issue private first. You could create a new private issue, but I don't think that would fit the workflow of those who triage Chrome security issues. Really, I would recommend that you just make the PoC public. I think that would help defenders more than attackers. If an attacker wants to use this attack, they can already implement the technique that's publicly described in your "Spy in the Sandbox" paper. It would be straightforward to adapt it to use a multi-threaded timer. Releasing the PoC would make it easier for defenders to judge the degree of the problem and provide more incentive for finding mitigations.
Jul 24 2015,
I filed an issue on the SharedArrayBuffers spec: https://github.com/lars-t-hansen/ecmascript_sharedmem/issues/1
Jul 24 2015,
If you wanted to share something privately with Chrome security, you could use firstname.lastname@example.org, which is private. Note that it's not private to Google though, some non-Google employees working on security have access there. However I strongly agree with mseaborn@ that making this public will be more beneficial to security and allow everyone to collaborate on this issue.
Jul 26 2015,
Here's a CodePen that provides a basic high-resolution timer polyfill based on SharedArrayBuffers. Its resolution is on the order of 0.3ns. Tested on Firefox Nightly (built from https://hg.mozilla.org/mozilla-central/rev/72835344333f ) http://codepen.io/yossioren/pen/LVBNMR
Oct 7 2015,
Issue 539390 has been merged into this issue.
Oct 6 2016,
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue. The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Jan 8 2018,
Re-evaluated successfully by Spectre and Meldown)))
Sign in to add a comment