[WEB SECURITY] fast and sort-of-reliable cache timing

Sripathi Krishnan sripathi.krishnan at gmail.com
Sat Dec 3 04:42:23 EST 2011


Definitely interesting. Despite the disclaimer, your hack also works well
on Chrome.

The webtiming paper <http://sip.cs.princeton.edu/pub/webtiming.pdf> you
referenced suggests domain tagging as a (limited) counter measure. Domain
Tagging would thwart your current PoC. But since it is ineffective against
other forms of web timing attacks, and since it completely negates the
advantage of public CDNs such as google
libraries<http://code.google.com/apis/libraries/> -
I don't think browsers are likely to implement it.

The last line on that report makes me sad -

> We are not aware of any practical countermeasures to these attacks. There
> seems to be little hope that effective countermeasures
> will be developed and deployed any time soon



--Sri


On 3 December 2011 05:39, Michal Zalewski <lcamtuf at coredump.cx> wrote:

> Not particularly exciting, but perhaps of some interest to the audiences
> here:
>
> http://lcamtuf.coredump.cx/cachetime/
>
> It's a fairly crude hack, so it will probably fail spectacularly in
> some circumstances, but the bottom line is that you can probably do
> high-performance, repeated cache timing. The most important trick here
> is to abort navigation so that the requested URL never actually gets
> requested and cached if not already in cache.
>
> Cheers,
> /mz
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20111203/4fea4554/attachment-0003.html>


More information about the websecurity mailing list