In Search of Lost Time: A Review of JavaScript Timers in Browsers
| Action | Key |
|---|---|
| Play / Pause | K or space |
| Mute / Unmute | M |
| Toggle fullscreen mode | F |
| Select next subtitles | C |
| Select next audio track | A |
| Show slide in full page or toggle automatic source change | V |
| Seek 5s backward | left arrow |
| Seek 5s forward | right arrow |
| Seek 10s backward | shift + left arrow or J |
| Seek 10s forward | shift + right arrow or L |
| Seek 60s backward | control + left arrow |
| Seek 60s forward | control + right arrow |
| Decrease volume | shift + down arrow |
| Increase volume | shift + up arrow |
| Decrease playback rate | < |
| Increase playback rate | > |
| Seek to end | end |
| Seek to beginning | beginning |
Share this media
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion.
In this presentation, we present the evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago.
This research was done in collaboration with Clémentine Maurice and Pierre Laperdrix, and was published at the EuroS&P 2021 conference.
Paper: https://people.irisa.fr/Thomas.Rokicki/publications/timer-paper.pdf
Repository: https://github.com/thomasrokicki/in-search-of-lost-time
Variations of computation time can reveal information about the state of a system. Research has uncovered a variety of side and covert channels, allowing potential attackers to extract secrets or track user behavior. Timing attacks can aim at different components of the microarchitecture, e.g., cache, DRAM, and are purely software-based. These attacks have two common prerequisites: they run code on the victim's hardware, and they rely on high-resolution timers that can distinguish small timing variations in the order of 100ns. Most of the timing attacks are implemented in native code, allowing the attacker to have great control over the memory and cycle-accurate timers.
In contrast, JavaScript is a high-level object-oriented interpreted scripting language, following the ECMAscript standard. Contrary to native code, it is much easier to run JavaScript code on a victim's system as it is a major component of the web, used by billions of people everyday. Almost all websites use JavaScript to execute code on the client side and by visiting a page, a client can download and execute dozens of different scripts. For security purposes, JavaScript code runs inside a sandboxed environment, restricting access to local files, virtual or physical memory addresses and native instructions. These restrictions make it harder to implement microarchitectural attacks. However, fully JavaScript-based timings attacks, running entirely in the browser, were implemented, bypassing the sandbox restrictions. These attacks include cache attacks, attacks on shared software resources, and even transient execution attacks like Spectre.
To try and mitigate JavaScript-based timing attacks, browser vendors have developed countermeasures, specifically targeting timers. Notably, they decreased the resolution of timers to make them less precise and introduced jitter to add noise in measurements. Other security features like site isolation were added to reinforce the security of browsers and act as a novel line of defense against timing attacks. After the publication of such countermeasures, browser vendors reallowed access to high resolution timers. Amid all these changes, it can be hard to keep track of all the different evolutions that browsers underwent. Particularly, it is unclear how the attacks described in the literature are impacted by current countermeasures.
In this presentation, we will introduce the various ways to create high resolution timers in JavaScript. Then, we will present the major classes of browser-based timing attacks, followed by the browser-based countermeasures. Finally, we will evaluate the efficiency of the evolution of countermeasures in the later releases of Firefox and Chrome.
Thomas is a french PhD Student in IRISA Rennes, in the SPICY team. I currently work on micro-architectural attacks, particularly based on JavaScript.
Other media in the channel "2021"
47 views, 1 this yearMeet Piotr, a firmware emulation tool for trainers and researchersJuly 7th, 2021
25 viewsORAMFS: Achieving Storage-Agnostic PrivacyJuly 7th, 2021
42 viewsRevisiting the Art of Encoder-Fu for novel shellcode obfuscation techniquesJuly 7th, 2021
17 views, 2 this yearATT&CKing Kubernetes: A technical deep dive into the new ATT&CK for ContainersJuly 7th, 2021
26 views, 1 this yearSecurity alerting made easy using PythonJuly 7th, 2021
12 viewsHome-Made Distributed BlocklistJuly 7th, 2021