SlideShare ist ein Scribd-Unternehmen logo

Loophole: Timing Attacks on Shared Event Loops in Chrome

C
cgvwzq

Event-driven programming (EDP) is the prevalent paradigm for graphical user interfaces, web clients, and it is rapidly gaining importance for server-side and network programming. Central components of EDP are event loops, which act as FIFO queues that are used by processes to store and dispatch messages received from other processes. In this talk we demonstrate that shared event loops are vulnerable to side-channel attacks, where a spy process monitors the loop usage pattern of other processes by enqueueing events and measuring the time it takes for them to be dispatched. Specifically, we exhibit attacks against two central event loops in Google's Chrome web browser: that of the I/O thread of the host process, which multiplexes all network events and user actions, and that of the main thread of the renderer processes, which handles rendering and Javascript tasks. For each of these event loops, we demonstrate how the usage pattern can be monitored with high resolution and low overhead, and we show how the extracted information can be leveraged for (1) identifying a web page during the loading phase (where we achieve recognition rates of up to 65% among 500 main pages from Alexa's Top sites), for (2) implementing cross origin covert channels (where we achieve transmission rates of up to 200 bit/s), and for (3) visually identifying user behavior such as mouse movements or keystrokes.

Software
1 von 51
Downloaden Sie, um offline zu lesen
Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22
Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole November 22, 2016 2 / 22
Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages Examples: Nginx, Node.js or memcached Used for message passing: inter-(thread | process) communication HTML5 standard 1 mandates user agents to use EDP: 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
Introduction: Event loops Event loop, message dispatcher, message loop, or run loop Pepe Vila Loophole November 22, 2016 4 / 22
Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } Pepe Vila Loophole November 22, 2016 4 / 22
Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Pepe Vila Loophole November 22, 2016 4 / 22
Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Pepe Vila Loophole November 22, 2016 4 / 22
Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Simple concurrency model for programmers Pepe Vila Loophole November 22, 2016 4 / 22
Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: Pepe Vila Loophole November 22, 2016 5 / 22
Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: when shared between mutually distrusting programs Pepe Vila Loophole November 22, 2016 5 / 22
Our work (in poetry) “Loophole” Exploit a timing side-channel in the Chrome web browser to break user privacy using machine learning techniques - Abraham Lincoln Pepe Vila Loophole November 22, 2016 6 / 22
Chrome’s architecture Same Origin Policy (SOP) Multi-process Shared event loops Pepe Vila Loophole November 22, 2016 7 / 22
Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Pepe Vila Loophole November 22, 2016 8 / 22
Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Origin 1 Origin 2 http://example.com:8080 http://example.com http://mail.example.com http://app.example.com https://foo.example.com https://foo.example.com https://example.com http://example.com Pepe Vila Loophole November 22, 2016 8 / 22
Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 DEMO: Chrome’s task manager 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme Pepe Vila Loophole November 22, 2016 10 / 22
Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Pepe Vila Loophole November 22, 2016 10 / 22
Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Pepe Vila Loophole November 22, 2016 10 / 22
Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Sharing the host process One for all renderers IPC through I/O thread Pepe Vila Loophole November 22, 2016 10 / 22
Spying on shared event loops Main thread of a renderer I/O thread of the host process Pepe Vila Loophole November 22, 2016 11 / 22
Spying on shared event loops Main thread of renderer processes Pepe Vila Loophole November 22, 2016 12 / 22
Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks Pepe Vila Loophole November 22, 2016 12 / 22
Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Pepe Vila Loophole November 22, 2016 12 / 22
Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Some tasks are very fast (<< 0.1 ms). We need high timing resolution. Pepe Vila Loophole November 22, 2016 12 / 22
Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task Pepe Vila Loophole November 22, 2016 13 / 22
Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task 1 Generates a trace of timing measurements 2 Resolution ≈ 25 µs Pepe Vila Loophole November 22, 2016 13 / 22
Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Pepe Vila Loophole November 22, 2016 14 / 22
Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms Pepe Vila Loophole November 22, 2016 14 / 22
Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms 2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D Pepe Vila Loophole November 22, 2016 14 / 22
Attacks Covert channel Web page fingerprinting User action detection Pepe Vila Loophole November 22, 2016 15 / 22
Attacks: covert channel Covert-channel using timing differences bandwidth of 200 bit/s on same renderer, and 5 bit/s across processes VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI Pepe Vila Loophole November 22, 2016 16 / 22
Attacks: web page fingerprinting Pepe Vila Loophole November 22, 2016 17 / 22
Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Pepe Vila Loophole November 22, 2016 17 / 22
Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Pepe Vila Loophole November 22, 2016 17 / 22
Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Pepe Vila Loophole November 22, 2016 17 / 22
Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Cost O(n · m) → We use Lemire’s lower bound. Pepe Vila Loophole November 22, 2016 17 / 22
Attacks: web page fingerprinting Figure: Warping matrix with optimal alignment between two time series Pepe Vila Loophole November 22, 2016 18 / 22
Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites Pepe Vila Loophole November 22, 2016 19 / 22
Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) Pepe Vila Loophole November 22, 2016 19 / 22
Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training Pepe Vila Loophole November 22, 2016 19 / 22
Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values Pepe Vila Loophole November 22, 2016 19 / 22
Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values k-fold cross-validation Pepe Vila Loophole November 22, 2016 19 / 22
Attacks: web page fingerprinting Renderer results: 65% Figure: Matching rates with best configuration and multiple tolerance Host process results: 25% Figure: Matching rates with multiple configurations and tolerance Pepe Vila Loophole November 22, 2016 20 / 22
Attacks: user action detection LoopScan tool for visualizing event loops in real-time “see” mouse movement, scrolling, clicks or keystrokes in other tabs DEMO: http://vwzq.net/lab/ioloop/monitor.html Pepe Vila Loophole November 22, 2016 21 / 22
Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Pepe Vila Loophole November 22, 2016 22 / 22
Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Future work: - automatize event recognition (online learning) - pattern used by ALL modern browsers - lots of tecnologies relying on event loops Pepe Vila Loophole November 22, 2016 22 / 22
Thank you. Questions? Pepe Vila Loophole November 22, 2016 22 / 22

Empfohlen

Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...
Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...
Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...confluent
 
Big Data Warsaw
Big Data WarsawBig Data Warsaw
Big Data WarsawMaximilian Michels
 
Code Crime Scene
Code Crime SceneCode Crime Scene
Code Crime ScenePawel Klimczyk
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
OpenStack Neutron new developers on boarding
OpenStack Neutron new developers on boardingOpenStack Neutron new developers on boarding
OpenStack Neutron new developers on boardingMiguel Lavalle
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, greSim Janghoon
 
OpenStack Meetup - SDN
OpenStack Meetup - SDNOpenStack Meetup - SDN
OpenStack Meetup - SDNSzilvia Racz
 
Fun with Github webhooks: verifying Signed-off-by
Fun with Github webhooks: verifying Signed-off-byFun with Github webhooks: verifying Signed-off-by
Fun with Github webhooks: verifying Signed-off-byJeff Squyres
 

Empfohlen

Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...
Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...
Scaling for India's Cricket Hungry Population (Bhavesh Raheja & Namit Mahuvak...confluent
 
Big Data Warsaw
Big Data WarsawBig Data Warsaw
Big Data WarsawMaximilian Michels
 
Code Crime Scene
Code Crime SceneCode Crime Scene
Code Crime ScenePawel Klimczyk
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
OpenStack Neutron new developers on boarding
OpenStack Neutron new developers on boardingOpenStack Neutron new developers on boarding
OpenStack Neutron new developers on boardingMiguel Lavalle
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, greSim Janghoon
 
OpenStack Meetup - SDN
OpenStack Meetup - SDNOpenStack Meetup - SDN
OpenStack Meetup - SDNSzilvia Racz
 
Fun with Github webhooks: verifying Signed-off-by
Fun with Github webhooks: verifying Signed-off-byFun with Github webhooks: verifying Signed-off-by
Fun with Github webhooks: verifying Signed-off-byJeff Squyres
 
Loophole: Timing Attacks on Shared Event Loops in Chrome
Loophole: Timing Attacks on Shared Event Loops in ChromeLoophole: Timing Attacks on Shared Event Loops in Chrome
Loophole: Timing Attacks on Shared Event Loops in Chromecgvwzq
 
Stream Processing with Apache Flink
Stream Processing with Apache FlinkStream Processing with Apache Flink
Stream Processing with Apache FlinkC4Media
 
Apache Beam (incubating)
Apache Beam (incubating)Apache Beam (incubating)
Apache Beam (incubating)Apache Apex
 
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...OpenWhisk
 
Asynchronous Ruby
Asynchronous RubyAsynchronous Ruby
Asynchronous RubyAnton Mishchuk
 
NodeJS-OSN
NodeJS-OSNNodeJS-OSN
NodeJS-OSNDamodar Chetty
 
Serverless apps with OpenWhisk
Serverless apps with OpenWhiskServerless apps with OpenWhisk
Serverless apps with OpenWhiskDaniel Krook
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16AppDynamics
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensionsjohnlvidal
 
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...OpenCredo
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server InternalsPraveen Gollakota
 
RTP Bluemix Meetup April 20th 2016
RTP Bluemix Meetup April 20th 2016RTP Bluemix Meetup April 20th 2016
RTP Bluemix Meetup April 20th 2016Tom Boucher
 
Serverless Apps with Open Whisk
Serverless Apps with Open Whisk Serverless Apps with Open Whisk
Serverless Apps with Open Whisk Dev_Events
 
Streaming your Lyft Ride Prices - Flink Forward SF 2019
Streaming your Lyft Ride Prices - Flink Forward SF 2019Streaming your Lyft Ride Prices - Flink Forward SF 2019
Streaming your Lyft Ride Prices - Flink Forward SF 2019Thomas Weise
 
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward
 
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward
 
Nexmark with beam
Nexmark with beamNexmark with beam
Nexmark with beamEtienne Chauchot
 
OpenWhisk - Serverless Architecture
OpenWhisk - Serverless Architecture OpenWhisk - Serverless Architecture
OpenWhisk - Serverless Architecture Dev_Events
 
Build a cloud native app with OpenWhisk
Build a cloud native app with OpenWhiskBuild a cloud native app with OpenWhisk
Build a cloud native app with OpenWhiskDaniel Krook
 
Swift at IBM: Mobile, open source and the drive to the cloud
Swift at IBM: Mobile, open source and the drive to the cloudSwift at IBM: Mobile, open source and the drive to the cloud
Swift at IBM: Mobile, open source and the drive to the cloudDev_Events
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 

Weitere ähnliche Inhalte

Ähnlich wie Loophole: Timing Attacks on Shared Event Loops in Chrome

Loophole: Timing Attacks on Shared Event Loops in Chrome
Loophole: Timing Attacks on Shared Event Loops in ChromeLoophole: Timing Attacks on Shared Event Loops in Chrome
Loophole: Timing Attacks on Shared Event Loops in Chromecgvwzq
 
Stream Processing with Apache Flink
Stream Processing with Apache FlinkStream Processing with Apache Flink
Stream Processing with Apache FlinkC4Media
 
Apache Beam (incubating)
Apache Beam (incubating)Apache Beam (incubating)
Apache Beam (incubating)Apache Apex
 
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...OpenWhisk
 
Serverless apps with OpenWhisk
Serverless apps with OpenWhiskServerless apps with OpenWhisk
Serverless apps with OpenWhiskDaniel Krook
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16AppDynamics
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensionsjohnlvidal
 
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...OpenCredo
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server InternalsPraveen Gollakota
 
RTP Bluemix Meetup April 20th 2016
RTP Bluemix Meetup April 20th 2016RTP Bluemix Meetup April 20th 2016
RTP Bluemix Meetup April 20th 2016Tom Boucher
 
Serverless Apps with Open Whisk
Serverless Apps with Open Whisk Serverless Apps with Open Whisk
Serverless Apps with Open Whisk Dev_Events
 
Streaming your Lyft Ride Prices - Flink Forward SF 2019
Streaming your Lyft Ride Prices - Flink Forward SF 2019Streaming your Lyft Ride Prices - Flink Forward SF 2019
Streaming your Lyft Ride Prices - Flink Forward SF 2019Thomas Weise
 
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward
 
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward
 
OpenWhisk - Serverless Architecture
OpenWhisk - Serverless Architecture OpenWhisk - Serverless Architecture
OpenWhisk - Serverless Architecture Dev_Events
 
Build a cloud native app with OpenWhisk
Build a cloud native app with OpenWhiskBuild a cloud native app with OpenWhisk
Build a cloud native app with OpenWhiskDaniel Krook
 
Swift at IBM: Mobile, open source and the drive to the cloud
Swift at IBM: Mobile, open source and the drive to the cloudSwift at IBM: Mobile, open source and the drive to the cloud
Swift at IBM: Mobile, open source and the drive to the cloudDev_Events
 

Ähnlich wie Loophole: Timing Attacks on Shared Event Loops in Chrome (20)

Loophole: Timing Attacks on Shared Event Loops in Chrome
Loophole: Timing Attacks on Shared Event Loops in ChromeLoophole: Timing Attacks on Shared Event Loops in Chrome
Loophole: Timing Attacks on Shared Event Loops in Chrome
 
Stream Processing with Apache Flink
Stream Processing with Apache FlinkStream Processing with Apache Flink
Stream Processing with Apache Flink
 
Apache Beam (incubating)
Apache Beam (incubating)Apache Beam (incubating)
Apache Beam (incubating)
 
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
 
Asynchronous Ruby
Asynchronous RubyAsynchronous Ruby
Asynchronous Ruby
 
NodeJS-OSN
NodeJS-OSNNodeJS-OSN
NodeJS-OSN
 
Serverless apps with OpenWhisk
Serverless apps with OpenWhiskServerless apps with OpenWhisk
Serverless apps with OpenWhisk
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensions
 
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
ThingMonk 2016 - Concursus Event sourcing for the IOT By Tareq Abedrabbo & Do...
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server Internals
 
RTP Bluemix Meetup April 20th 2016
RTP Bluemix Meetup April 20th 2016RTP Bluemix Meetup April 20th 2016
RTP Bluemix Meetup April 20th 2016
 
Serverless Apps with Open Whisk
Serverless Apps with Open Whisk Serverless Apps with Open Whisk
Serverless Apps with Open Whisk
 
Streaming your Lyft Ride Prices - Flink Forward SF 2019
Streaming your Lyft Ride Prices - Flink Forward SF 2019Streaming your Lyft Ride Prices - Flink Forward SF 2019
Streaming your Lyft Ride Prices - Flink Forward SF 2019
 
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
 
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
Flink Forward San Francisco 2019: Streaming your Lyft Ride Prices - Thomas We...
 
Nexmark with beam
Nexmark with beamNexmark with beam
Nexmark with beam
 
OpenWhisk - Serverless Architecture
OpenWhisk - Serverless Architecture OpenWhisk - Serverless Architecture
OpenWhisk - Serverless Architecture
 
Build a cloud native app with OpenWhisk
Build a cloud native app with OpenWhiskBuild a cloud native app with OpenWhisk
Build a cloud native app with OpenWhisk
 
Swift at IBM: Mobile, open source and the drive to the cloud
Swift at IBM: Mobile, open source and the drive to the cloudSwift at IBM: Mobile, open source and the drive to the cloud
Swift at IBM: Mobile, open source and the drive to the cloud
 

Kürzlich hochgeladen

Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 

Kürzlich hochgeladen (20)

Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 

Loophole: Timing Attacks on Shared Event Loops in Chrome

  • 1. Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22
  • 2. Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole November 22, 2016 2 / 22
  • 3. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  • 4. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  • 5. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages Examples: Nginx, Node.js or memcached Used for message passing: inter-(thread | process) communication HTML5 standard 1 mandates user agents to use EDP: 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
  • 6. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop Pepe Vila Loophole November 22, 2016 4 / 22
  • 7. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } Pepe Vila Loophole November 22, 2016 4 / 22
  • 8. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Pepe Vila Loophole November 22, 2016 4 / 22
  • 9. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Pepe Vila Loophole November 22, 2016 4 / 22
  • 10. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Simple concurrency model for programmers Pepe Vila Loophole November 22, 2016 4 / 22
  • 11. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: Pepe Vila Loophole November 22, 2016 5 / 22
  • 12. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: when shared between mutually distrusting programs Pepe Vila Loophole November 22, 2016 5 / 22
  • 13. Our work (in poetry) “Loophole” Exploit a timing side-channel in the Chrome web browser to break user privacy using machine learning techniques - Abraham Lincoln Pepe Vila Loophole November 22, 2016 6 / 22
  • 14. Chrome’s architecture Same Origin Policy (SOP) Multi-process Shared event loops Pepe Vila Loophole November 22, 2016 7 / 22
  • 15. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Pepe Vila Loophole November 22, 2016 8 / 22
  • 16. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Origin 1 Origin 2 http://example.com:8080 http://example.com http://mail.example.com http://app.example.com https://foo.example.com https://foo.example.com https://example.com http://example.com Pepe Vila Loophole November 22, 2016 8 / 22
  • 17. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  • 18. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  • 19. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 DEMO: Chrome’s task manager 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
  • 20. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme Pepe Vila Loophole November 22, 2016 10 / 22
  • 21. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Pepe Vila Loophole November 22, 2016 10 / 22
  • 22. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Pepe Vila Loophole November 22, 2016 10 / 22
  • 23. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer When using iframes, linked nagivation or |processes| > T T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Sharing the host process One for all renderers IPC through I/O thread Pepe Vila Loophole November 22, 2016 10 / 22
  • 24. Spying on shared event loops Main thread of a renderer I/O thread of the host process Pepe Vila Loophole November 22, 2016 11 / 22
  • 25. Spying on shared event loops Main thread of renderer processes Pepe Vila Loophole November 22, 2016 12 / 22
  • 26. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks Pepe Vila Loophole November 22, 2016 12 / 22
  • 27. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Pepe Vila Loophole November 22, 2016 12 / 22
  • 28. Spying on shared event loops Main thread of renderer processes runs resource parsing, style calculation, layout, painting and Javascript each task blocks the event loop for a while when 2 pages share the process, the main thread’s event loop is shared A can eavesdrop information from V ’s tasks I/O thread of the host process manages IPC with all children renderers demultiplexes all UI events to each corresponding renderer multiplexes all network requests from renderers each task/message/event also blocks the event loop Some tasks are very fast (<< 0.1 ms). We need high timing resolution. Pepe Vila Loophole November 22, 2016 12 / 22
  • 29. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task Pepe Vila Loophole November 22, 2016 13 / 22
  • 30. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save(performance .now()); // high -resolution timestamp self.postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self.postMessage (0,’*’); // post first async task 1 Generates a trace of timing measurements 2 Resolution ≈ 25 µs Pepe Vila Loophole November 22, 2016 13 / 22
  • 31. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Pepe Vila Loophole November 22, 2016 14 / 22
  • 32. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms Pepe Vila Loophole November 22, 2016 14 / 22
  • 33. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save(performance .now()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback. 1 Resolution ≈ 0.5 ms 2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D Pepe Vila Loophole November 22, 2016 14 / 22
  • 34. Attacks Covert channel Web page fingerprinting User action detection Pepe Vila Loophole November 22, 2016 15 / 22
  • 35. Attacks: covert channel Covert-channel using timing differences bandwidth of 200 bit/s on same renderer, and 5 bit/s across processes VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI Pepe Vila Loophole November 22, 2016 16 / 22
  • 36. Attacks: web page fingerprinting Pepe Vila Loophole November 22, 2016 17 / 22
  • 37. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Pepe Vila Loophole November 22, 2016 17 / 22
  • 38. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Pepe Vila Loophole November 22, 2016 17 / 22
  • 39. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Pepe Vila Loophole November 22, 2016 17 / 22
  • 40. Attacks: web page fingerprinting Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi , yj ) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min φ dφ(X, Y ) Cost O(n · m) → We use Lemire’s lower bound. Pepe Vila Loophole November 22, 2016 17 / 22
  • 41. Attacks: web page fingerprinting Figure: Warping matrix with optimal alignment between two time series Pepe Vila Loophole November 22, 2016 18 / 22
  • 42. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites Pepe Vila Loophole November 22, 2016 19 / 22
  • 43. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) Pepe Vila Loophole November 22, 2016 19 / 22
  • 44. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training Pepe Vila Loophole November 22, 2016 19 / 22
  • 45. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values Pepe Vila Loophole November 22, 2016 19 / 22
  • 46. Attacks: web page fingerprinting Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread) only ONE sample for training testing multiple configuration values k-fold cross-validation Pepe Vila Loophole November 22, 2016 19 / 22
  • 47. Attacks: web page fingerprinting Renderer results: 65% Figure: Matching rates with best configuration and multiple tolerance Host process results: 25% Figure: Matching rates with multiple configurations and tolerance Pepe Vila Loophole November 22, 2016 20 / 22
  • 48. Attacks: user action detection LoopScan tool for visualizing event loops in real-time “see” mouse movement, scrolling, clicks or keystrokes in other tabs DEMO: http://vwzq.net/lab/ioloop/monitor.html Pepe Vila Loophole November 22, 2016 21 / 22
  • 49. Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Pepe Vila Loophole November 22, 2016 22 / 22
  • 50. Conclusions Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Future work: - automatize event recognition (online learning) - pattern used by ALL modern browsers - lots of tecnologies relying on event loops Pepe Vila Loophole November 22, 2016 22 / 22
  • 51. Thank you. Questions? Pepe Vila Loophole November 22, 2016 22 / 22