Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses (2103.04952v1)

Abstract: The "eternal war in cache" has reached browsers, with multiple cache-based side-channel attacks and countermeasures being suggested. A common approach for countermeasures is to disable or restrict JavaScript features deemed essential for carrying out attacks. To assess the effectiveness of this approach, in this work we seek to identify those JavaScript features which are essential for carrying out a cache-based attack. We develop a sequence of attacks with progressively decreasing dependency on JavaScript features, culminating in the first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets (CSS) and HTML, and works even when script execution is completely blocked. We then show that avoiding JavaScript features makes our techniques architecturally agnostic, resulting in microarchitectural website fingerprinting attacks that work across hardware platforms including Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. As a final contribution, we evaluate our techniques in hardened browser environments including the Tor browser, Deter-Fox (Cao el al., CCS 2017), and Chrome Zero (Schwartz et al., NDSS 2018). We confirm that none of these approaches completely defend against our attacks. We further argue that the protections of Chrome Zero need to be more comprehensively applied, and that the performance and user experience of Chrome Zero will be severely degraded if this approach is taken.

Overview: Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses

The paper "Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses" explores the challenges of implementing effective browser-based defenses against side-channel attacks that exploit cache mechanisms. The primary focus is on identifying the minimal prerequisites needed to conduct such attacks and evaluating the effectiveness of existing and proposed countermeasures.

Key Contributions

• JavaScript Independence: One of the most significant findings of the research is the development of an attack methodology that does not rely on JavaScript. The authors successfully employ HTML and CSS alone, showcasing the inadequacy of defenses solely aimed at hardening JavaScript APIs. This highlights the necessity for broader architectural changes for effective defense.
• Architectural Agnosticism: The research introduces techniques that can successfully mount microarchitectural attacks across diverse CPUs, such as Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures, without requiring specific modifications for each architecture. This demonstrates the universal vulnerabilities present across hardware platforms, challenging the assumption that processor diversity inherently protects against these types of side-channel attacks.
• Evaluation of Browser Defenses: The effectiveness of several hardened browser environments, including the Tor browser, Chrome Zero, and DeterFox, is assessed. Results indicate that none completely thwart the developed attacks. Notably, the paper argues that Chrome Zero would suffer significant performance and usability degradation if adequate side-channel protections were comprehensively applied.

Strong Numerical Results

The paper includes robust experimental findings showing high closed-world classification accuracy rates for various attack methods, with some attacking techniques achieving top-5 prediction accuracies of over 90% on multiple architectures. Specifically, the cache occupancy and sweep counting attacks, even under browser restrictions, demonstrate the persistent leakage of exploitable information.

Implications

Practical Implications

1. Browser and API Design: This paper suggests browser developers need to rethink JavaScript-centric defenses, as attacks can be mounted even when scripting is entirely blocked. Future security approaches must consider the fundamental microarchitectural sharing of resources that facilitates side-channel attacks.
2. Security Enhancement of Web Technologies: As HTML and CSS alone can facilitate attacks, revisiting the security paradigms around conventional web technologies may be necessary. Research should explore holistic defenses that address the root causes of cache-based side channels rather than symptomatic API restrictions.

Theoretical Implications

1. Side-Channel Attack Models: The success of scriptless side-channel attacks invites reevaluation of existing attack models and highlights the need to broaden the exploration into how low-level architectural features can be leveraged beyond traditional methods.
2. Microarchitectural Universality: Architectural agnosticism in side-channel attacks displayed by the research suggests a growing importance in understanding universal microarchitectural traits shared by modern processors, broadening the scope of side-channel studies.

Future Directions

The paper inspires several directions for future research: enhancing side-channel defenses through complete architectural redesigns, understanding microarchitectural commonalities across diverse processors, and innovating approaches to secure web browser implementations against non-traditional attack vectors. Further studies could also investigate the integration of hardware-level defenses against microarchitectural side channels and explore alternative secure browser design concepts.

In conclusion, the research underscores significant vulnerabilities within prevailing browser security architectures and challenges existing assumptions about side-channel defenses, illustrating the evolving complexity of digital security in the age of diverse microarchitectural threats.