SoK: In Search of Lost Time: A Review of ...
Document type :
Communication dans un congrès avec actes
Permalink :
Title :
SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers
Author(s) :
Rokicki, Thomas [Auteur]
Embedded Security and Cryptography / Sécurité cryptographie embarquée [EMSEC]
Maurice, Clementine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Laperdrix, Pierre [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Embedded Security and Cryptography / Sécurité cryptographie embarquée [EMSEC]
Maurice, Clementine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Laperdrix, Pierre [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Conference title :
6th IEEE European Symposium on Security and Privacy (EuroS&P'21)
City :
Vienna
Country :
Autriche
Start date of the conference :
2021-09-06
HAL domain(s) :
Informatique [cs]/Cryptographie et sécurité [cs.CR]
English abstract : [en]
JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to ...
Show more >JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion. In this paper, we present the evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand: what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago.Show less >
Show more >JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion. In this paper, we present the evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand: what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago.Show less >
Language :
Anglais
Peer reviewed article :
Oui
Audience :
Internationale
Popular science :
Non
Collections :
Source :
Submission date :
2021-11-13T02:34:45Z
Files
- https://hal.inria.fr/hal-03215569/document
- Open access
- Access the document