JavaScript CPU cache snooper tells EVERYTHING you do online

Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC’s processor caches.

The exploit is apparently effective against machines running a late-model Intel CPU, such as a Core i7, and a HTML5-happy browser – so perhaps about 80 percent of desktop machines.

Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan, and Angelos Keromytis came up with this side-channel attack, which can be performed by JavaScript served from a malicious web ad network. It works by studying the time it takes to access data stored in the last-level cache – the L3 cache shared by all cores in a PC – and matches it to user activity.

The research has prompted Google, Microsoft, Mozilla, and Apple to upgrade their browsers to smother the attack vector. Nothing has yet been released.

Dr Oren – a true boffin – tells El Reg the snooping is best suited to small-time hackers.

“This is a very low-cost attack which would probably be used by small-time bad guys – the same creeps who bombard you with pop-up ads will probably add this to their popups so they can track you while they distract you,” Oren says.

As the team note in their paper The Spy in the Sandbox – Practical Cache Attacks in JavaScript [PDF], victims do not have to install any extra software, just simply visit a page with some nasty JS on it, thus upping the practicality of the hack.

“Our attack, which is an extension of the last-level cache attacks of (Adelaide University’s) Yuva Yarom, allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser,” they say.

Once the malicious JavaScript is running, it primes the cache into a known state, waits for the user to do something like press a key, and then uses the browser’s high-resolution timer to record the time it takes to iterate through a block of memory; when accesses are considerably faster than others, the memory being touched is still in the cache. With that information, the attacker can map the pattern of memory accesses to keystrokes and mouse movements, which can be replayed.

On Intel Core i7 Mac running OS X 10.10.2 and Firefox 35.0.1, the JS was able to map half the L3 cache in one minute, and about a quarter in roughly 30 seconds.

The research is very academic in nature, and not terribly practical, but challenges the assumption that most side-channel attacks require snoopers to be in close proximity to their victims, and be able to execute arbitrary native code.

The team reckons it’s the first side-channel attack that easily scales to millions of targets – any modern Intel-powered PC running a HTML5 browser. AMD chips are mostly immune due to their cache design.

It gives new reach to side-channel attacks not previously thought possible, and emphasizes the need for side-channel resistant algorithms and systems.

Dr Oren will not release the attack code until the browsers are patched, and in the meantime recommends concerned punters shutter unused tabs when they are working on something important.

“In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says.

Source Credits: Darren Pauli in The Register

Advertisements
This entry was posted in 06. Scientia and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

9 Responses to JavaScript CPU cache snooper tells EVERYTHING you do online

  1. What’s up all? It’s pleasant to read this blog
    and I’m used to pay a visit to it all the time.

    Like

  2. Generally I don’t read article on blogs, however I would
    like to say that this write-up very much forced me to take a look at and do it!
    Your writing style has amazed me. Thank you, quite great
    post.

    Like

    • Bonerjea says:

      Some site somewhere was supposed to change your idea. Good to know it happened to be us. Thank you, for the nice appreciation. Wish you happy reading !

      Like

  3. Your style is very unique in comparison to other people I’ve read stuff from.
    Thank you for posting when you have the opportunity, Guess I’ll just bookmark this blog.

    Like

  4. Luther says:

    I have read so many articles or reviews on the topic on other blogs, however this article
    is really a nice post, keep it up.

    Like

  5. Wow! After all I got a web site from where I be capable of actually get helpful
    information concerning my study and knowledge.

    Like

Leave your comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s