Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event...
Transcript of Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event...
![Page 1: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/1.jpg)
Loophole: Timing Attacks on Shared Event Loops in Chrome
Pepe Vila and Boris Köpf
vwzq.net
@cgvwzq
github.com/cgvwzq
![Page 2: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/2.jpg)
EVENT DRIVEN PROGRAMMING
SO HOT RIGHT NOW
![Page 3: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/3.jpg)
EVENT DRIVEN PROGRAMMING
SO HOT RIGHT NOW
![Page 4: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/4.jpg)
Source: http://berb.github.io/diploma-thesis/original/042_serverarch.html
![Page 5: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/5.jpg)
We exploit 2 different shared Event Loops in Chrome:
![Page 6: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/6.jpg)
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
![Page 7: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/7.jpg)
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
And implement 3 different attacks:
![Page 8: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/8.jpg)
Page Identification
And implement 3 different attacks:
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
![Page 9: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/9.jpg)
And implement 3 different attacks:
19780.000 19785.000 19790.000 19795.000 19800.000 19805.0000.02
0.04
0.06
0.10
0.20
0.40
1.00
2.00
4.00
10.00
Inter-keystroke Timing
Page Identification
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
![Page 10: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/10.jpg)
We exploit 2 different shared Event Loops in Chrome:
I/O’s of the Host Process
Main thread’s of Renderers
And implement 3 different attacks:
Page Identification Covert Channel
19780.000 19785.000 19790.000 19795.000 19800.000 19805.0000.02
0.04
0.06
0.10
0.20
0.40
1.00
2.00
4.00
10.00
Inter-keystroke Timing
![Page 11: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/11.jpg)
![Page 12: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/12.jpg)
FIFO queue
Dispatchertime
Shared Event Loop
![Page 13: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/13.jpg)
FIFO queue
Dispatchertime
e0
Shared Event Loop
![Page 14: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/14.jpg)
FIFO queue
Dispatchertimee0
Shared Event Loop
![Page 15: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/15.jpg)
FIFO queue
Dispatchertime
e1
e0
Shared Event Loop
![Page 16: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/16.jpg)
FIFO queue
Dispatchertime
e1
e0
Shared Event Loop
![Page 17: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/17.jpg)
FIFO queue
Dispatchertime
e0
e1
Shared Event Loop
![Page 18: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/18.jpg)
FIFO queue
Dispatchertime
e0
e1
e2
Shared Event Loop
![Page 19: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/19.jpg)
FIFO queue
Dispatchertime
e0 e1
e2
Shared Event Loop
![Page 20: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/20.jpg)
FIFO queue
Dispatchertime
e0
e2
e1
Shared Event Loop
![Page 21: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/21.jpg)
FIFO queue
Dispatchertime
e0 e1
e2
Shared Event Loop
![Page 22: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/22.jpg)
FIFO queue
Dispatchertime
e0 e1
e2
Shared Event Loop
![Page 23: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/23.jpg)
FIFO queue
Dispatchertime
e0 e1
e2
e3
Shared Event Loop
![Page 24: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/24.jpg)
FIFO queue
Dispatchertime
e0 e1 e2
e3
Shared Event Loop
![Page 25: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/25.jpg)
FIFO queue
Dispatchertime
e0 e1
e3
e2
Shared Event Loop
![Page 26: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/26.jpg)
FIFO queue
Dispatchertime
e0 e1 e2
e3
Shared Event Loop
![Page 27: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/27.jpg)
FIFO queue
Dispatchertime
e0 e1 e2
e3
Shared Event Loop
![Page 28: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/28.jpg)
FIFO queue
Dispatchertime
e0 e1 e2
e3
e4
Shared Event Loop
![Page 29: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/29.jpg)
FIFO queue
Dispatchertime
e0 e1 e2
e4
e3
Shared Event Loop
![Page 30: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/30.jpg)
FIFO queue
Dispatchertime
e0 e1 e2 e3
e4
Shared Event Loop
![Page 31: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/31.jpg)
FIFO queue
Dispatchertime
e0 e1 e2 e3 e4
Shared Event Loop
![Page 32: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/32.jpg)
FIFO queue
Dispatchertime
d0 d1 d2 d3
e0 e1 e2 e3 e4
Shared Event Loop
![Page 33: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/33.jpg)
FIFO queue
Dispatchertime
Event-delay trace
d0 d1 d2 d3
e0 e1 e2 e3 e4
Shared Event Loop
![Page 34: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/34.jpg)
SYSTEM/INTERNET
![Page 35: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/35.jpg)
HOST PROCESS
SYSTEM/INTERNET
![Page 36: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/36.jpg)
HOST PROCESS
SYSTEM/INTERNET
• NETWORK REQUESTS• IPC COMMUNICATION• DISPATCHES USER
ACTIONS
![Page 37: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/37.jpg)
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1 RENDERER 2tab1 | trusted.com tab 2 |
SHARED BETWEEN ALL RENDERERS
![Page 39: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/39.jpg)
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1 RENDERER 2tab1 | trusted.com tab 2 | evil.com
![Page 40: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/40.jpg)
<script> function loop () { save(performance.now()); fetch(new Request("http://0/"))
.catch(loop); } loop(); </script>
Timing resolution of ~500 μs
Spying on the Host
![Page 41: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/41.jpg)
Timing resolution of ~500 μs
With some smarter techniques we obtain <100 μs (see the paper)
<script> function loop () { save(performance.now()); fetch(new Request("http://0/"))
.catch(loop); } loop(); </script>
Spying on the Host
![Page 43: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/43.jpg)
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
• JAVASCRIPT EXECUTION• RESOURCE PARSING• LAYOUT & RENDERING
tab1 | trusted.com
![Page 44: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/44.jpg)
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
iframe |SHARED BETWEEN IFRAMES, POPUPS, MAX #RENDERER EXCEEDED…
tab1 | trusted.com
![Page 45: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/45.jpg)
HOST PROCESS
SYSTEM/INTERNET
RENDERER 1
iframe | evil.co
tab1 | trusted.com
![Page 46: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/46.jpg)
<script> function loop() { save(performance.now()); self.postMessage(0, "*"); } self.onmessage = loop; loop(); </script>
Timing resolution of <25 μs
Spying on the Renderer
![Page 47: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/47.jpg)
Duration of Events in the Renderer
loop()
GC scavenge
Mouse movement
JS event handlers
μ-arch events
25 μs 100 μs <1 ms >2 ms<5μs
![Page 48: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/48.jpg)
Duration of Events
Responsive code is harder to identify
loop()
GC scavenge
Mouse movement
JS event handlers
μ-arch events
25 μs 100 μs <1 ms >2 ms<5μs
![Page 50: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/50.jpg)
Web Page Identification
& Inter-keystroke Timing
![Page 51: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/51.jpg)
Web Page Identification
Monitor the EventLoop while
page loading
![Page 52: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/52.jpg)
Dynamic Time Warping
DTW is resistant to delays in the occurrence of events
![Page 53: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/53.jpg)
Dynamic Time Warping
DTW is resistant to delays in the occurrence of events
2-4 seconds of measuring
![Page 54: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/54.jpg)
Dynamic Time Warping
DTW is resistant to delays in the occurrence of events
2-4 seconds of measuring
One trace for training
![Page 55: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/55.jpg)
Web Page Identification
500 pages x 30 traces x 3 machines x 2 event loops
Renderer’s main thread:
Host’s I/O thread:
75%23%
(Linux desktop)
(Macbook Pro)
(recognition rates below 5% across machines)
R-library and datasets: https://github.com/cgvwzq/rlang-loophole
![Page 56: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/56.jpg)
Inter-keystroke Timing
19780.000 19785.000 19790.000 19795.000 19800.000 19805.0000.02
0.04
0.06
0.10
0.20
0.40
1.00
2.00
4.00
10.00
We obtain the password length and time between consecutive pressed keys
![Page 57: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/57.jpg)
Inter-keystroke Timing
10.000 passwords
90% accuracy
precision: σ = 6.1 ms
![Page 58: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/58.jpg)
Inter-keystroke Timing
More precision than network based attacks.
Less noise than in micro-architectural attacks.
No privileges. No training.
10.000 passwords
90% accuracy
precision: σ = 6.1 ms
![Page 59: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/59.jpg)
Countermeasures
• Reduce clock resolution
• Site Isolation Project
• CPU throttling
• Rate limiting
![Page 60: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/60.jpg)
Countermeasures
• Reduce clock resolution
• Site Isolation Project
• CPU throttling
• Rate limiting
![Page 61: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/61.jpg)
Conclusions
• Shared event loops in Chrome are vulnerable to timing side-channels
• We systematically study how this channel can be used for different attacks
• Fundamental design issues that need to be addressed
![Page 62: Loophole: Timing Attacks on Shared Event Loops in Chrome · We exploit 2 different shared Event Loops in Chrome: I/O’s of the Host Process Main thread’s of Renderers And implement](https://reader034.fdocuments.in/reader034/viewer/2022042320/5f097cde7e708231d4271018/html5/thumbnails/62.jpg)
62
Thank you! :)Questions?