Séminaire SoSySec : Port Contention Goes Portable: Port Contention Side Channels in Web Browsers

Seminar
Starting on
Ending on
Location
IRISA Rennes
Room
Pétri/Turing
Speaker
Thomas Rokicki (Univ Rennes, CNRS, IRISA)

Port Contention Goes Portable: Port Contention Side Channels in Web Browsers

Microarchitectural side-channel attacks can derive secrets from the execution of vulnerable programs. Their implementation in web browsers represents a considerable extension of their attack surface, as a user simply browsing a malicious website, or even a malicious third-party advertisement in a benign cross-origin isolated website, can be a victim. In this talk, we present the first CPU port contention side channel running entirely in a web browser, despite a highly challenging environment. Our attack can be used to build a cross-browser covert channel with a bit rate of 200bps, one order of magnitude above the state of the art, and has a spatial resolution of 1024 native instructions in a side-channel attack, a performance on-par with Prime+Probe attacks. We provide a framework to evaluate the port contention caused by WebAssembly instructions on Intel processors, allowing to increase the portability of port contention side channels. We conclude from our work that port contention attacks are not only fast, they are also less susceptible to noise than cache attacks, and are immune to countermeasures implemented in browsers as well as most side channel countermeasures, which target the cache in their vast majority. This work has been accepted at AsiaCCS '22.