28 research outputs found
Indirect Meltdown: Building Novel Side-Channel Attacks from Transient-Execution Attacks
The transient-execution attack Meltdown leaks sensitive information by
transiently accessing inaccessible data during out-of-order execution. Although
Meltdown is fixed in hardware for recent CPU generations, most
currently-deployed CPUs have to rely on software mitigations, such as KPTI.
Still, Meltdown is considered non-exploitable on current systems. In this
paper, we show that adding another layer of indirection to Meltdown transforms
a transient-execution attack into a side-channel attack, leaking metadata
instead of data. We show that despite software mitigations, attackers can still
leak metadata from other security domains by observing the success rate of
Meltdown on non-secret data. With LeakIDT, we present the first cache-line
granular monitoring of kernel addresses. LeakIDT allows an attacker to obtain
cycle-accurate timestamps for attacker-chosen interrupts. We use our attack to
get accurate inter-keystroke timings and fingerprint visited websites. While we
propose a low-overhead software mitigation to prevent the exploitation of
LeakIDT, we emphasize that the side-channel aspect of transient-execution
attacks should not be underestimated.Comment: published at ESORICS 202
Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices
Contains fulltext :
187230.pdf (preprint version ) (Open Access
JShelter: Give Me My Browser Back
The Web is used daily by billions. Even so, users are not protected from many
threats by default. This position paper builds on previous web privacy and
security research and introduces JShelter, a webextension that fights to return
the browser to users. Moreover, we introduce a library helping with common
webextension development tasks and fixing loopholes misused by previous
research. JShelter focuses on fingerprinting prevention, limitations of rich
web APIs, prevention of attacks connected to timing, and learning information
about the computer, the browser, the user, and surrounding physical environment
and location. We discovered a loophole in the sensor timestamps that lets any
page observe the device boot time if sensor APIs are enabled in Chromium-based
browsers. JShelter provides a fingerprinting report and other feedback that can
be used by future security research and data protection authorities. Thousands
of users around the world use the webextension every day