research-article

Port Contention Goes Portable: Port Contention Side Channels in Web Browsers

Authors:

Thomas Rokicki,

Clémentine Maurice,

Marina Botvinnik,

Yossi OrenAuthors Info & Claims

ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

Pages 1182 - 1194

https://doi.org/10.1145/3488932.3517411

Published: 30 May 2022 Publication History

Abstract

Microarchitectural side-channel attacks can derive secrets from the execution of vulnerable programs. Their implementation in web browsers represents a considerable extension of their attack surface, as a user simply browsing a malicious website, or even a malicious third-party advertisement in a benign cross-origin isolated website, can be a victim.

In this paper, we present the first port contention side channel running entirely in a web browser, despite a highly challenging environment. Our attack can be used to build a cross-browser covert channel with a bit rate of 200bps, one order of magnitude above the state of the art, and has a spatial resolution of 1024 native instructions in a side-channel attack, a performance on-par with Prime+Probe attacks. We provide a framework to evaluate the port contention caused by WebAssembly instructions on Intel processors, allowing to increase the portability of port contention side channels. We conclude from our work that port contention attacks are not only fast, they are also less susceptible to noise than cache attacks, and are immune to countermeasures implemented in browsers as well as most side channel countermeasures, which target the cache in their vast majority.

Supplementary Material

MP4 File (ASIA-CCS22-fp236.mp4)

Video presentation of "Port Contention Goes Portable: Port Contention Side Channels in Web Browsers". In this video, we present how, for the first time, we implemented port contention in the JavaScript sandbox, considerably widening the threat surface. We also present a covert channel and an artificial example of a side channel attack.

Download
335.20 MB

References

[1]

Andreas Abel and Jan Reineke. Tzcnt uops.info page. https://uops.info/html-instr/TZCNT_R16_R16.html. Accessed: 2021--11--11.

[2]

Andreas Abel and Jan Reineke. uops.info: Characterizing latency, throughput, and port usage of instructions on intel microarchitectures. In ASPLOS, 2019.

Digital Library

[3]

Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida García, and Nicola Tuveri. Port contention for fun and profit. In S&P, 2019.

[4]

Jay M Berger. A note on error detection codes for asymmetric channels. Information and control, 4(1):68--73, 1961.

[5]

Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. Smotherspectre: Exploiting speculative execution through port contention. In CCS, 2019.

[6]

Feng Cao, Martin Estert, Weining Qian, and Aoying Zhou. Density-based clustering over an evolving data stream with noise. In Proceedings of the 2006 SIAM international conference on data mining, 2006.

[7]

MDN contributors. Cross-origin-embedder-policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy. Accessed: 2021-19-11.

[8]

MDN contributors. Cross-origin-opener-policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy. Accessed: 2021-19-11.

[9]

Ghada Dessouky, Tommaso Frassetto, and Ahmad-Reza Sadeghi. Hybcache: Hybrid side-channel-resilient caches for trusted execution environments. In USENIX Security Symposium, 2020.

[10]

ECMA. Standard ecma-262. https://www.ecma-international.org/publications/standards/Ecma-262.htm. Accessed: 2021-10-11.

[11]

Daniel Genkin, Lev Pachmanov, Eran Tromer, and Yuval Yarom. Drive-by key-extraction cache attacks from portable code. In ACNS, 2018.

[12]

Google. Product status: Microarchitectural data sampling (mds). https://support.google.com/faqs/answer/9330250?hl=en. Accessed: 2021-19-11.

[13]

Google. V8 javascript engine. https://v8.dev/. Accessed: 2021-10-11.

[14]

Ben Gras, Cristiano Giuffrida, Michael Kurth, Herbert Bos, and Kaveh Razavi. Absynthe: Automatic blackbox side-channel synthesis on commodity microarchitectures. In NDSS, 2020.

[15]

Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. Aslr on the line: Practical cache attacks on the mmu. In NDSS, 2017.

[16]

Daniel Gruss, Clémentine Maurice, and Stefan Mangard. Rowhammer. js: A remote software-induced fault attack in javascript. In DIMVA, 2016.

[17]

Richard W Hamming. Error detecting and error correcting codes. The Bell system technical journal, 29(2):147--160, 1950.

[18]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. Spectre attacks: Exploiting speculative execution. In S&P, 2019.

[19]

Jingfei Kong, Onur Aciicc mez, Jean-Pierre Seifert, and Huiyang Zhou. Hardware-software integrated approaches to defend against software cache-based side channel attacks. In HPCA, 2009.

[20]

Michael Larabel. Openbsd disabling smt / hyper threading due to security concerns. https://www.phoronix.com/scan.php?page=news_item&px=OpenBSD-Disabling-SMT. Accessed: 2021-19-11.

[21]

Moritz Lipp, Daniel Gruss, Michael Schwarz, David Bidner, Clémentine Maurice, and Stefan Mangard. Practical keystroke timing attacks in sandboxed javascript. In ESORICS, 2017.

[22]

Fangfei Liu and Ruby B. Lee. Random fill cache architecture. In MICRO, 2014.

Digital Library

[23]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. Last-level cache side-channel attacks are practical. In S&P, 2015.

Digital Library

[24]

Clé mentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, and Kay Römer. Hello from the other side: SSH over robust cache covert channels in the cloud. In NDSS, 2017.

[25]

MDN. Navigator.hardwareconcurrency. https://developer.mozilla.org/en-US/docs/Web/API/Navigator/hardwareConcurrency. Accessed: 2021-19-11.

[26]

Mozilla. Spidermonkey javascript engine. https://spidermofnkey.dev/. Accessed: 2021-10-11.

[27]

Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. The spy in the sandbox: Practical cache attacks in javascript and their implications. In CCS, 2015.

Digital Library

[28]

Antoon Purnal, Lukas Giner, Daniel Gruss, and Ingrid Verbauwhede. Systematic analysis of randomization-based protected cache architectures. In S&P, 2021.

[29]

Charles Reis, Alexander Moshchuk, and Nasko Oskov. Site isolation: Process separation for web sites within the browser. In USENIX Security Symposium, 2019.

[30]

Thomas Rokicki, Clémentine Maurice, and Pierre Laperdrix. Sok: In search of lost time: A review of javascript timers in browsers. In EuroS&P, 2021.

[31]

Michael Rushanan, David Russell, and Aviel D Rubin. Malloryworker: stealthy computation and covert channels using web workers. In International Workshop on Security and Trust Management. Springer, 2016.

[32]

Gururaj Saileshwar and Moinuddin K. Qureshi. MIRAGE: mitigating conflict-based cache attacks with a practical fully-associative design. In USENIX Security Symposium, 2021.

[33]

Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. Fantastic timers and where to find them: High-resolution microarchitectural attacks in javascript. In International Conference on Financial Cryptography and Data Security, 2017.

Digital Library

[34]

Benjamin Semal, Konstantinos Markantonakis, Raja Naeem Akram, and Jan Kalbantner. Leaky controller: cross-vm memory controller covert channel on multi-core systems. In IFIP International Conference on ICT Systems Security and Privacy Protection. Springer, 2020.

[35]

Anatoly Shusterman, Ayush Agarwal, Sioli O'Connell, Daniel Genkin, Yossi Oren, and Yuval Yarom. Prime probe 1, javascript 0: Overcoming browser-based side-channel defenses. In USENIX Security Symposium, 2021.

[36]

Mohammadkazem Taram, Xida Ren, Ashish Venkat, and Dean Tullsen. Secsmt: Securing SMT processors against contention-based covert channels. In USENIX Security Symposium, 2022.

[37]

Daniel Townley and Dmitry Ponomarev. SMT-COP: defeating side-channel attacks on execution units in SMT processors. In PACT, 2019.

[38]

Tom van Goethem and Wouter Joosen. One side-channel to bring them all and in the darkness bind them: Associating isolated browsing sessions. In 11th USENIX Workshop on Offensive Technologies (WOOT), 2017.

[39]

Stephan van Schaik, Alyssa Milburn, Sebastian Ö sterlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. RIDL: rogue in-flight data load. In S&P, 2019.

[40]

Pepe Vila and Boris Kö pf. Loophole: Timing attacks on shared event loops in chrome. In USENIX Security Symposium, 2017.

[41]

W3C. Index of standardized webassembly instructions. https://webassembly.github.io/spec/core/appendix/index-instructions.html. Accessed: 2021-19-11.

[42]

W3C. Webassembly. https://webassembly.org/. Accessed: 2021-10-11.

[43]

Yuval Yarom and Katrina Falkner. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In USENIX Security Symposium, 2014.

Digital Library

[44]

Yinqian Zhang and Michael K. Reiter. Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In CCS, 2013.

Cited By

Cabrera-Arteaga JFitzgerald NMonperrus MBaudry B(2024) Wasm-MutateComputers and Security10.1016/j.cose.2024.103731139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103731
Weissman ZTiemann TEisenbarth TSunar B(2024)Microarchitectural Security of Firecracker VMM for Serverless Cloud PlatformsInformation Systems Security10.1007/978-3-031-80020-7_1(3-24)Online publication date: 15-Dec-2024
https://doi.org/10.1007/978-3-031-80020-7_1
Purnal ABognar MPiessens FVerbauwhede I(2023)ShowTime: Amplifying Arbitrary CPU Timing Side ChannelsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590332(205-217)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590332
Show More Cited By

Index Terms

Port Contention Goes Portable: Port Contention Side Channels in Web Browsers
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
  2. Software and application security
    1. Web application security

Recommendations

CPU Port Contention Without SMT
Computer Security – ESORICS 2022
Abstract
CPU port contention has been used in the last years as a stateless side channel to perform side-channel attacks and transient execution attacks. One drawback of this channel is that it heavily relies on simultaneous multi-threading, which can be ...
Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation
CYSARM'20: Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Systems that protect enclaves from privileged software must consider software-based side-channel attacks. Our system isolates enclaves on separate secure cores to stop attackers from running on the same core as the victim, which mitigates intra-core ...
Secure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Atacks
ISCA '17: Proceedings of the 44th Annual International Symposium on Computer Architecture

In cache-based side channel attacks, a spy that shares a cache with a victim probes cache locations to extract information on the victim's access patterns. For example, in evict+reload, the spy repeatedly evicts and then reloads a probe address, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

May 2022

1291 pages

ISBN:9781450391405

DOI:10.1145/3488932

General Chairs:
Yuji Suga
Internet Initiative Japan Inc., Japan
,
Kouichi Sakurai
Kyushu University, Japan
,
Program Chairs:
Xuhua Ding
Singapore Management University, Singapore
,
Kazue Sako
Waseda University, Japan

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Agence Nationale de la Recherche

Conference

ASIA CCS '22

Sponsor:

SIGSAC

ASIA CCS '22: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2022

Nagasaki, Japan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
252
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)4

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cabrera-Arteaga JFitzgerald NMonperrus MBaudry B(2024) Wasm-MutateComputers and Security10.1016/j.cose.2024.103731139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103731
Weissman ZTiemann TEisenbarth TSunar B(2024)Microarchitectural Security of Firecracker VMM for Serverless Cloud PlatformsInformation Systems Security10.1007/978-3-031-80020-7_1(3-24)Online publication date: 15-Dec-2024
https://doi.org/10.1007/978-3-031-80020-7_1
Purnal ABognar MPiessens FVerbauwhede I(2023)ShowTime: Amplifying Arbitrary CPU Timing Side ChannelsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590332(205-217)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590332
Gast SJuffinger JSchwarzl MSaileshwar GKogler AFranza SKöstl MGruss D(2023)SQUIP: Exploiting the Scheduler Queue Contention Side Channel2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179368(2256-2272)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179368
Cabrera-Arteaga JMonperrus MToady TBaudry B(2023)WebAssembly diversification for malware evasionComputers and Security10.1016/j.cose.2023.103296131:COnline publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103296

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten