Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP...
Transcript of Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP...
![Page 1: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/1.jpg)
LoopholeTiming Attacks on Shared Event Loops in Chrome
Pepe Vila
November 22, 2016
Pepe Vila Loophole November 22, 2016 1 / 22
![Page 2: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/2.jpg)
Introduction
Event-driven programming
Event loops
A timing side-channel on event loops
Pepe Vila Loophole November 22, 2016 2 / 22
![Page 3: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/3.jpg)
Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks andserver-side
The flow of the program is determined by events or messages
Examples:
Nginx, Node.js or memcached
Used for message passing: inter-(thread | process) communication
HTML5 standard 1 mandates user agents to use EDP:
1https://html.spec.whatwg.org/#event-loopPepe Vila Loophole November 22, 2016 3 / 22
![Page 4: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/4.jpg)
Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks andserver-side
The flow of the program is determined by events or messages
Examples:
Nginx, Node.js or memcached
Used for message passing: inter-(thread | process) communication
HTML5 standard 1 mandates user agents to use EDP:
1https://html.spec.whatwg.org/#event-loopPepe Vila Loophole November 22, 2016 3 / 22
![Page 5: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/5.jpg)
Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks andserver-side
The flow of the program is determined by events or messages
Examples:
Nginx, Node.js or memcached
Used for message passing: inter-(thread | process) communication
HTML5 standard 1 mandates user agents to use EDP:
1https://html.spec.whatwg.org/#event-loopPepe Vila Loophole November 22, 2016 3 / 22
![Page 6: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/6.jpg)
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealtwith asynchronously
Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
![Page 7: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/7.jpg)
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealtwith asynchronously
Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
![Page 8: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/8.jpg)
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealtwith asynchronously
Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
![Page 9: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/9.jpg)
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealtwith asynchronously
Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
![Page 10: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/10.jpg)
Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealtwith asynchronously
Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
![Page 11: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/11.jpg)
Introduction: A timing side-channel on event loops
Event loops are susceptible to timing side-channel attacks:
when shared between mutually distrusting programs
Pepe Vila Loophole November 22, 2016 5 / 22
![Page 12: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/12.jpg)
Introduction: A timing side-channel on event loops
Event loops are susceptible to timing side-channel attacks:
when shared between mutually distrusting programs
Pepe Vila Loophole November 22, 2016 5 / 22
![Page 13: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/13.jpg)
Our work (in poetry)
“Loophole”
Exploit a timing side-channel
in the Chrome web browser
to break user privacy
using machine learning techniques
- Abraham Lincoln
Pepe Vila Loophole November 22, 2016 6 / 22
![Page 14: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/14.jpg)
Chrome’s architecture
Same Origin Policy (SOP)
Multi-process
Shared event loops
Pepe Vila Loophole November 22, 2016 7 / 22
![Page 15: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/15.jpg)
Chrome’s architecture: Same Origin Policy (SOP)
Central concept in the web security model
Script from a site A can not access data from site V if origins differ:
Origin := (scheme, domain, port )
Origin 1 Origin 2
http://example.com:8080 http://example.comhttp://mail.example.com http://app.example.comhttps://foo.example.com https://foo.example.com
https://example.com http://example.com
Pepe Vila Loophole November 22, 2016 8 / 22
![Page 16: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/16.jpg)
Chrome’s architecture: Same Origin Policy (SOP)
Central concept in the web security model
Script from a site A can not access data from site V if origins differ:
Origin := (scheme, domain, port )
Origin 1 Origin 2
http://example.com:8080 http://example.comhttp://mail.example.com http://app.example.comhttps://foo.example.com https://foo.example.com
https://example.com http://example.com
Pepe Vila Loophole November 22, 2016 8 / 22
![Page 17: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/17.jpg)
Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple threads. Each thread one message loop 2
DEMO: Chrome’s task manager
2Chrome’s implementation of an event loopPepe Vila Loophole November 22, 2016 9 / 22
![Page 18: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/18.jpg)
Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple threads. Each thread one message loop 2
DEMO: Chrome’s task manager
2Chrome’s implementation of an event loopPepe Vila Loophole November 22, 2016 9 / 22
![Page 19: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/19.jpg)
Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple threads. Each thread one message loop 2
DEMO: Chrome’s task manager
2Chrome’s implementation of an event loopPepe Vila Loophole November 22, 2016 9 / 22
![Page 20: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/20.jpg)
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes(default: process-per-site-instance)
A Site is a registered domain plus a scheme
(different than SOP)
Sharing the renderer
I When using iframes, linked nagivation or |processes| > TI T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Sharing the host processI One for all renderersI IPC through I/O thread
Pepe Vila Loophole November 22, 2016 10 / 22
![Page 21: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/21.jpg)
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes(default: process-per-site-instance)
A Site is a registered domain plus a scheme (different than SOP)
Sharing the renderer
I When using iframes, linked nagivation or |processes| > TI T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Sharing the host processI One for all renderersI IPC through I/O thread
Pepe Vila Loophole November 22, 2016 10 / 22
![Page 22: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/22.jpg)
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes(default: process-per-site-instance)
A Site is a registered domain plus a scheme (different than SOP)
Sharing the renderer
I When using iframes, linked nagivation or |processes| > TI T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Sharing the host processI One for all renderersI IPC through I/O thread
Pepe Vila Loophole November 22, 2016 10 / 22
![Page 23: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/23.jpg)
Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes(default: process-per-site-instance)
A Site is a registered domain plus a scheme (different than SOP)
Sharing the renderer
I When using iframes, linked nagivation or |processes| > TI T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Sharing the host processI One for all renderersI IPC through I/O thread
Pepe Vila Loophole November 22, 2016 10 / 22
![Page 24: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/24.jpg)
Spying on shared event loops
Main thread of a renderer
I/O thread of the host process
Pepe Vila Loophole November 22, 2016 11 / 22
![Page 25: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/25.jpg)
Spying on shared event loops
Main thread of renderer processes
I runs resource parsing, style calculation, layout, painting and JavascriptI each task blocks the event loop for a whileI when 2 pages share the process, the main thread’s event loop is sharedI A can eavesdrop information from V ’s tasks
I/O thread of the host processI manages IPC with all children renderersI demultiplexes all UI events to each corresponding rendererI multiplexes all network requests from renderersI each task/message/event also blocks the event loop
Some tasks are very fast (<< 0.1 ms). We need high timing resolution.
Pepe Vila Loophole November 22, 2016 12 / 22
![Page 26: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/26.jpg)
Spying on shared event loops
Main thread of renderer processesI runs resource parsing, style calculation, layout, painting and JavascriptI each task blocks the event loop for a whileI when 2 pages share the process, the main thread’s event loop is sharedI A can eavesdrop information from V ’s tasks
I/O thread of the host processI manages IPC with all children renderersI demultiplexes all UI events to each corresponding rendererI multiplexes all network requests from renderersI each task/message/event also blocks the event loop
Some tasks are very fast (<< 0.1 ms). We need high timing resolution.
Pepe Vila Loophole November 22, 2016 12 / 22
![Page 27: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/27.jpg)
Spying on shared event loops
Main thread of renderer processesI runs resource parsing, style calculation, layout, painting and JavascriptI each task blocks the event loop for a whileI when 2 pages share the process, the main thread’s event loop is sharedI A can eavesdrop information from V ’s tasks
I/O thread of the host processI manages IPC with all children renderersI demultiplexes all UI events to each corresponding rendererI multiplexes all network requests from renderersI each task/message/event also blocks the event loop
Some tasks are very fast (<< 0.1 ms). We need high timing resolution.
Pepe Vila Loophole November 22, 2016 12 / 22
![Page 28: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/28.jpg)
Spying on shared event loops
Main thread of renderer processesI runs resource parsing, style calculation, layout, painting and JavascriptI each task blocks the event loop for a whileI when 2 pages share the process, the main thread’s event loop is sharedI A can eavesdrop information from V ’s tasks
I/O thread of the host processI manages IPC with all children renderersI demultiplexes all UI events to each corresponding rendererI multiplexes all network requests from renderersI each task/message/event also blocks the event loop
Some tasks are very fast (<< 0.1 ms). We need high timing resolution.
Pepe Vila Loophole November 22, 2016 12 / 22
![Page 29: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/29.jpg)
Spying on shared event loops: renderer’s main thread
Monitor the event loop from an arbitrary HTML page running Javascript:
function loop() {
save(performance.now()); // high -resolution timestamp
self.postMessage (0,’*’); // recursive invocation
}
self.onmessage = loop; // set event handler
self.postMessage (0,’*’); // post first async task
1 Generates a trace of timing measurements
2 Resolution ≈ 25µs
Pepe Vila Loophole November 22, 2016 13 / 22
![Page 30: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/30.jpg)
Spying on shared event loops: renderer’s main thread
Monitor the event loop from an arbitrary HTML page running Javascript:
function loop() {
save(performance.now()); // high -resolution timestamp
self.postMessage (0,’*’); // recursive invocation
}
self.onmessage = loop; // set event handler
self.postMessage (0,’*’); // post first async task
1 Generates a trace of timing measurements
2 Resolution ≈ 25µs
Pepe Vila Loophole November 22, 2016 13 / 22
![Page 31: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/31.jpg)
Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop() {
save(performance.now());
fetch(new Request(’http ://0.0.0.0 ’)).catch(loop);
}
loop();
Performs an invalid network request. Task is posted into the I/O event tobe processed asynchronously. Fails quick and triggers our “catch”callback.
1 Resolution ≈ 0.5 ms
2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D
Pepe Vila Loophole November 22, 2016 14 / 22
![Page 32: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/32.jpg)
Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop() {
save(performance.now());
fetch(new Request(’http ://0.0.0.0 ’)).catch(loop);
}
loop();
Performs an invalid network request. Task is posted into the I/O event tobe processed asynchronously. Fails quick and triggers our “catch”callback.
1 Resolution ≈ 0.5 ms
2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D
Pepe Vila Loophole November 22, 2016 14 / 22
![Page 33: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/33.jpg)
Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop() {
save(performance.now());
fetch(new Request(’http ://0.0.0.0 ’)).catch(loop);
}
loop();
Performs an invalid network request. Task is posted into the I/O event tobe processed asynchronously. Fails quick and triggers our “catch”callback.
1 Resolution ≈ 0.5 ms
2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D
Pepe Vila Loophole November 22, 2016 14 / 22
![Page 34: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/34.jpg)
Attacks
Covert channel
Web page fingerprinting
User action detection
Pepe Vila Loophole November 22, 2016 15 / 22
![Page 35: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/35.jpg)
Attacks: covert channel
Covert-channel using timing differences
bandwidth of 200 bit/s on same renderer,
and 5 bit/s across processes
VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI
Pepe Vila Loophole November 22, 2016 16 / 22
![Page 36: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/36.jpg)
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i , j) = f (xi , yj) ≥ 0
Find optimal alignment φ such that:
DTW (X ,Y ) = minφ
dφ(X ,Y )
Cost O(n ·m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
![Page 37: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/37.jpg)
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i , j) = f (xi , yj) ≥ 0
Find optimal alignment φ such that:
DTW (X ,Y ) = minφ
dφ(X ,Y )
Cost O(n ·m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
![Page 38: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/38.jpg)
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i , j) = f (xi , yj) ≥ 0
Find optimal alignment φ such that:
DTW (X ,Y ) = minφ
dφ(X ,Y )
Cost O(n ·m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
![Page 39: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/39.jpg)
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i , j) = f (xi , yj) ≥ 0
Find optimal alignment φ such that:
DTW (X ,Y ) = minφ
dφ(X ,Y )
Cost O(n ·m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
![Page 40: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/40.jpg)
Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i , j) = f (xi , yj) ≥ 0
Find optimal alignment φ such that:
DTW (X ,Y ) = minφ
dφ(X ,Y )
Cost O(n ·m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
![Page 41: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/41.jpg)
Attacks: web page fingerprinting
Figure: Warping matrix with optimal alignment between two time series
Pepe Vila Loophole November 22, 2016 18 / 22
![Page 42: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/42.jpg)
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
![Page 43: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/43.jpg)
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
![Page 44: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/44.jpg)
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
![Page 45: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/45.jpg)
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
![Page 46: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/46.jpg)
Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
![Page 47: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/47.jpg)
Attacks: web page fingerprinting
Renderer results: 65%
Figure: Matching rates with bestconfiguration and multiple tolerance
Host process results: 25%
Figure: Matching rates with multipleconfigurations and tolerance
Pepe Vila Loophole November 22, 2016 20 / 22
![Page 48: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/48.jpg)
Attacks: user action detection
LoopScan tool for visualizing event loops in real-time
“see” mouse movement, scrolling, clicks or keystrokes in other tabs
DEMO: http://vwzq.net/lab/ioloop/monitor.html
Pepe Vila Loophole November 22, 2016 21 / 22
![Page 49: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/49.jpg)
Conclusions
Resource sharing is dangerous
It is possible to spy other tabs/pages in the same browser
Machine learning is useful for side-channel attacks
Future work:
- automatize event recognition (online learning)
- pattern used by ALL modern browsers
- lots of tecnologies relying on event loops
Pepe Vila Loophole November 22, 2016 22 / 22
![Page 50: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/50.jpg)
Conclusions
Resource sharing is dangerous
It is possible to spy other tabs/pages in the same browser
Machine learning is useful for side-channel attacks
Future work:
- automatize event recognition (online learning)
- pattern used by ALL modern browsers
- lots of tecnologies relying on event loops
Pepe Vila Loophole November 22, 2016 22 / 22
![Page 51: Loophole - Timing Attacks on Shared Event Loops in ChromeIntroduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The ow](https://reader033.fdocuments.in/reader033/viewer/2022050114/5f4b01b9e29fe412ea01ef52/html5/thumbnails/51.jpg)
Thank you. Questions?
Pepe Vila Loophole November 22, 2016 22 / 22