Event-driven programming (EDP) is the prevalent paradigm for graphical user interfaces, web clients, and it is rapidly gaining importance for server-side and network programming. Central components of EDP are event loops, which act as FIFO queues that are used by processes to store and dispatch messages received from other processes. In this talk we demonstrate that shared event loops are vulnerable to side-channel attacks, where a spy process monitors the loop usage pattern of other processes by enqueueing events and measuring the time it takes for them to be dispatched. Specifically, we exhibit attacks against two central event loops in Google's Chrome web browser: that of the I/O thread of the host process, which multiplexes all network events and user actions, and that of the main thread of the renderer processes, which handles rendering and Javascript tasks. For each of these event loops, we demonstrate how the usage pattern can be monitored with high resolution and low overhead, and we show how the extracted information can be leveraged for (1) identifying a web page during the loading phase (where we achieve recognition rates of up to 65% among 500 main pages from Alexa's Top sites), for (2) implementing cross origin covert channels (where we achieve transmission rates of up to 200 bit/s), and for (3) visually identifying user behavior such as mouse movements or keystrokes.
3. Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks and
server-side
1
https://html.spec.whatwg.org/#event-loop
Pepe Vila Loophole November 22, 2016 3 / 22
4. Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks and
server-side
The flow of the program is determined by events or messages
1
https://html.spec.whatwg.org/#event-loop
Pepe Vila Loophole November 22, 2016 3 / 22
5. Introduction: Event-driven programming
EDP is a programming paradigm for GUI, web clients, networks and
server-side
The flow of the program is determined by events or messages
Examples:
Nginx, Node.js or memcached
Used for message passing: inter-(thread | process) communication
HTML5 standard 1 mandates user agents to use EDP:
1
https://html.spec.whatwg.org/#event-loop
Pepe Vila Loophole November 22, 2016 3 / 22
6. Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
Pepe Vila Loophole November 22, 2016 4 / 22
7. Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
Pepe Vila Loophole November 22, 2016 4 / 22
8. Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Pepe Vila Loophole November 22, 2016 4 / 22
9. Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealt
with asynchronously
Pepe Vila Loophole November 22, 2016 4 / 22
10. Introduction: Event loops
Event loop, message dispatcher, message loop, or run loop
FIFO queue & dispatcher:
Q = [];
while (true) {
M = Q.shift (); // dequeue
process(M);
}
If queue is empty, waits until an event arrives
Blocking operations (e.g., database and network requests) are dealt
with asynchronously
Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
11. Introduction: A timing side-channel on event loops
Event loops are susceptible to timing side-channel attacks:
Pepe Vila Loophole November 22, 2016 5 / 22
12. Introduction: A timing side-channel on event loops
Event loops are susceptible to timing side-channel attacks:
when shared between mutually distrusting programs
Pepe Vila Loophole November 22, 2016 5 / 22
13. Our work (in poetry)
“Loophole”
Exploit a timing side-channel
in the Chrome web browser
to break user privacy
using machine learning techniques
- Abraham Lincoln
Pepe Vila Loophole November 22, 2016 6 / 22
15. Chrome’s architecture: Same Origin Policy (SOP)
Central concept in the web security model
Script from a site A can not access data from site V if origins differ:
Origin := (scheme, domain, port )
Pepe Vila Loophole November 22, 2016 8 / 22
16. Chrome’s architecture: Same Origin Policy (SOP)
Central concept in the web security model
Script from a site A can not access data from site V if origins differ:
Origin := (scheme, domain, port )
Origin 1 Origin 2
http://example.com:8080 http://example.com
http://mail.example.com http://app.example.com
https://foo.example.com https://foo.example.com
https://example.com http://example.com
Pepe Vila Loophole November 22, 2016 8 / 22
18. Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple threads. Each thread one message loop 2
2
Chrome’s implementation of an event loop
Pepe Vila Loophole November 22, 2016 9 / 22
19. Chrome’s architecture: Multi-process
Multi-process: 1 privileged host — N sandboxed renderers
Each process has multiple threads. Each thread one message loop 2
DEMO: Chrome’s task manager
2
Chrome’s implementation of an event loop
Pepe Vila Loophole November 22, 2016 9 / 22
20. Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: process-per-site-instance)
A Site is a registered domain plus a scheme
Pepe Vila Loophole November 22, 2016 10 / 22
21. Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: process-per-site-instance)
A Site is a registered domain plus a scheme (different than SOP)
Pepe Vila Loophole November 22, 2016 10 / 22
22. Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: process-per-site-instance)
A Site is a registered domain plus a scheme (different than SOP)
Sharing the renderer
When using iframes, linked nagivation or |processes| > T
T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Pepe Vila Loophole November 22, 2016 10 / 22
23. Chrome’s architecture: Shared event loops
Different policies for mapping applications into renderer processes
(default: process-per-site-instance)
A Site is a registered domain plus a scheme (different than SOP)
Sharing the renderer
When using iframes, linked nagivation or |processes| > T
T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Sharing the host process
One for all renderers
IPC through I/O thread
Pepe Vila Loophole November 22, 2016 10 / 22
24. Spying on shared event loops
Main thread of a renderer
I/O thread of the host process
Pepe Vila Loophole November 22, 2016 11 / 22
25. Spying on shared event loops
Main thread of renderer processes
Pepe Vila Loophole November 22, 2016 12 / 22
26. Spying on shared event loops
Main thread of renderer processes
runs resource parsing, style calculation, layout, painting and Javascript
each task blocks the event loop for a while
when 2 pages share the process, the main thread’s event loop is shared
A can eavesdrop information from V ’s tasks
Pepe Vila Loophole November 22, 2016 12 / 22
27. Spying on shared event loops
Main thread of renderer processes
runs resource parsing, style calculation, layout, painting and Javascript
each task blocks the event loop for a while
when 2 pages share the process, the main thread’s event loop is shared
A can eavesdrop information from V ’s tasks
I/O thread of the host process
manages IPC with all children renderers
demultiplexes all UI events to each corresponding renderer
multiplexes all network requests from renderers
each task/message/event also blocks the event loop
Pepe Vila Loophole November 22, 2016 12 / 22
28. Spying on shared event loops
Main thread of renderer processes
runs resource parsing, style calculation, layout, painting and Javascript
each task blocks the event loop for a while
when 2 pages share the process, the main thread’s event loop is shared
A can eavesdrop information from V ’s tasks
I/O thread of the host process
manages IPC with all children renderers
demultiplexes all UI events to each corresponding renderer
multiplexes all network requests from renderers
each task/message/event also blocks the event loop
Some tasks are very fast (<< 0.1 ms). We need high timing resolution.
Pepe Vila Loophole November 22, 2016 12 / 22
29. Spying on shared event loops: renderer’s main thread
Monitor the event loop from an arbitrary HTML page running Javascript:
function loop () {
save(performance .now()); // high -resolution timestamp
self.postMessage (0,’*’); // recursive invocation
}
self.onmessage = loop; // set event handler
self.postMessage (0,’*’); // post first async task
Pepe Vila Loophole November 22, 2016 13 / 22
30. Spying on shared event loops: renderer’s main thread
Monitor the event loop from an arbitrary HTML page running Javascript:
function loop () {
save(performance .now()); // high -resolution timestamp
self.postMessage (0,’*’); // recursive invocation
}
self.onmessage = loop; // set event handler
self.postMessage (0,’*’); // post first async task
1 Generates a trace of timing measurements
2 Resolution ≈ 25 µs
Pepe Vila Loophole November 22, 2016 13 / 22
31. Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop () {
save(performance .now());
fetch(new Request(’http ://0.0.0.0 ’)).catch(loop);
}
loop ();
Pepe Vila Loophole November 22, 2016 14 / 22
32. Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop () {
save(performance .now());
fetch(new Request(’http ://0.0.0.0 ’)).catch(loop);
}
loop ();
Performs an invalid network request. Task is posted into the I/O event to
be processed asynchronously. Fails quick and triggers our “catch”
callback.
1 Resolution ≈ 0.5 ms
Pepe Vila Loophole November 22, 2016 14 / 22
33. Spying on shared event loops: host’s I/O thread
Monitor the loop from any HTML page running Javascript:
function loop () {
save(performance .now());
fetch(new Request(’http ://0.0.0.0 ’)).catch(loop);
}
loop ();
Performs an invalid network request. Task is posted into the I/O event to
be processed asynchronously. Fails quick and triggers our “catch”
callback.
1 Resolution ≈ 0.5 ms
2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D
Pepe Vila Loophole November 22, 2016 14 / 22
35. Attacks: covert channel
Covert-channel using timing differences
bandwidth of 200 bit/s on same renderer,
and 5 bit/s across processes
VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI
Pepe Vila Loophole November 22, 2016 16 / 22
36. Attacks: web page fingerprinting
Pepe Vila Loophole November 22, 2016 17 / 22
37. Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Pepe Vila Loophole November 22, 2016 17 / 22
38. Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0
Pepe Vila Loophole November 22, 2016 17 / 22
39. Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0
Find optimal alignment φ such that:
DTW (X, Y ) = min
φ
dφ(X, Y )
Pepe Vila Loophole November 22, 2016 17 / 22
40. Attacks: web page fingerprinting
Dynamic Time Warping
Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym)
Robust to horizontal compressions and streches (warping)
Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0
Find optimal alignment φ such that:
DTW (X, Y ) = min
φ
dφ(X, Y )
Cost O(n · m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
41. Attacks: web page fingerprinting
Figure: Warping matrix with optimal alignment between two time series
Pepe Vila Loophole November 22, 2016 18 / 22
42. Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
Pepe Vila Loophole November 22, 2016 19 / 22
43. Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
Pepe Vila Loophole November 22, 2016 19 / 22
44. Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
Pepe Vila Loophole November 22, 2016 19 / 22
45. Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
Pepe Vila Loophole November 22, 2016 19 / 22
46. Attacks: web page fingerprinting
Experiments
500 main pages from Alexa’s Top sites
30 traces × page (monitoring main thread)
6 traces × page (monitoring IO thread)
only ONE sample for training
testing multiple configuration values
k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
47. Attacks: web page fingerprinting
Renderer results: 65%
Figure: Matching rates with best
configuration and multiple tolerance
Host process results: 25%
Figure: Matching rates with multiple
configurations and tolerance
Pepe Vila Loophole November 22, 2016 20 / 22
48. Attacks: user action detection
LoopScan tool for visualizing event loops in real-time
“see” mouse movement, scrolling, clicks or keystrokes in other tabs
DEMO: http://vwzq.net/lab/ioloop/monitor.html
Pepe Vila Loophole November 22, 2016 21 / 22
49. Conclusions
Resource sharing is dangerous
It is possible to spy other tabs/pages in the same browser
Machine learning is useful for side-channel attacks
Pepe Vila Loophole November 22, 2016 22 / 22
50. Conclusions
Resource sharing is dangerous
It is possible to spy other tabs/pages in the same browser
Machine learning is useful for side-channel attacks
Future work:
- automatize event recognition (online learning)
- pattern used by ALL modern browsers
- lots of tecnologies relying on event loops
Pepe Vila Loophole November 22, 2016 22 / 22