Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Researchers Demonstrate Browser-Based Side-Channel Attack

Method Works Even If JavaScript Is Disabled
Researchers Demonstrate Browser-Based Side-Channel Attack

University researchers have tested a new browser-based side-channel attack technique that uses only HTML and CSS and works even if JavaScript is disabled. They shared their findings with browser providers and tech firms.

See Also: From Epidemic to Opportunity: Defend Against Authorized Transfer Scams

The "Prime+Probe" technique is a cache side-channel attack method that can detect which cache sets are accessed by the target and then use that to infer potentially valuable information, according to a research paper published by Ben-Gurion University of the Negev, the University of Adelaide and the University of Michigan. The researchers have successfully tested this technique on a wide range of platforms, including Apple’s recently introduced M1 chip.

"To assess the effectiveness of this approach, in this work, we seek to identify those JavaScript features which are essential for carrying out a cache-based attack. We develop a sequence of attacks with progressively decreasing dependency on JavaScript features, culminating in the first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets and HTML, and works even when script execution is completely blocked," the researchers note.

The researchers show that the technique is architecturally agnostic, "resulting in microarchitectural website fingerprinting attacks that work across hardware platforms, including Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures," researchers state.

Bob Rudis, chief data scientist at cyber firm Rapid7, says JavaScript has become the central core of modern web development and is prevalent on virtually every web site.

Evaluating Attack

The researchers evaluated their technique in hardened browser environments, including the Tor browser, DeterFox and Chrome Zero, and confirmed that none of these approaches defended against their attacks.

"We further argue that the protections of Chrome Zero need to be more comprehensively applied, and that the performance and user experience of Chrome Zero will be severely degraded if this approach is taken," the researchers note.

The researchers shared a draft of their paper with the product security teams of Intel, AMD, Apple, Chrome and Mozilla prior to publication.

"We show that advanced variants of the cache contention attack allow Prime+Probe attacks to be mounted through the browser in extremely constrained situations," the researchers state. "Cache attacks cannot be prevented by reduced timer resolution, by the abolition of timers, threads, or arrays, or even by completely disabling scripting support. This implies that any secret-bearing process which shares cache resources with a browser connecting to untrusted websites is potentially at risk of exposure."

Previous Findings

In June 2020, researchers from Ben-Gurion University of the Negev and the Weizmann Institute of Science in Israel described another side-channel attack technique that could enable hackers to eavesdrop on a conversation by tracking vibrations in a hanging lightbulb (see: Hackers Can Use Lightbulbs to Eavesdrop: Study).

The technique, which the researchers call "Lamphone," works by intercepting the vibrations in a hanging lightbulb caused by the changing air pressure created by sound.

About the Author

Vasudevan Nair

Vasudevan Nair

Head IT and Chief Information Security Officer (CISO), Writer Corporation

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.