Not particularly exciting, but perhaps of some interest to the audiences here:
http://lcamtuf.coredump.cx/cachetime/
It's a fairly crude hack, so it will probably fail spectacularly in
some circumstances, but the bottom line is that you can probably do
high-performance, repeated cache timing. The most important trick here
is to abort navigation so that the requested URL never actually gets
requested and cached if not already in cache.
Cheers,
/mz
Definitely interesting. Despite the disclaimer, your hack also works well
on Chrome.
The webtiming paper http://sip.cs.princeton.edu/pub/webtiming.pdf you
referenced suggests domain tagging as a (limited) counter measure. Domain
Tagging would thwart your current PoC. But since it is ineffective against
other forms of web timing attacks, and since it completely negates the
advantage of public CDNs such as google
librarieshttp://code.google.com/apis/libraries/ -
I don't think browsers are likely to implement it.
The last line on that report makes me sad -
We are not aware of any practical countermeasures to these attacks. There
seems to be little hope that effective countermeasures
will be developed and deployed any time soon
--Sri
On 3 December 2011 05:39, Michal Zalewski lcamtuf@coredump.cx wrote:
Not particularly exciting, but perhaps of some interest to the audiences
here:
http://lcamtuf.coredump.cx/cachetime/
It's a fairly crude hack, so it will probably fail spectacularly in
some circumstances, but the bottom line is that you can probably do
high-performance, repeated cache timing. The most important trick here
is to abort navigation so that the requested URL never actually gets
requested and cached if not already in cache.
Cheers,
/mz
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Definitely interesting. Despite the disclaimer, your hack also works well on
Chrome.
It may be by accident, but I don't think it works reliably; it was
returning some false positives / false negatives for me. I have a
Chrome variant that I started working on and that behaves well on one
of my systems, but not yet on the other - check out chrome.html in the
same directory if you're interested.
In general, though, doing this in any browser is just a matter of
investing few extra hours to fine-tune the navigation timings; the
basic premise of being able to abort the request when you don't detect
cache hit (indicated through a SOP exception on an <iframe>) within
several milliseconds of starting navigation... that seems to work
everywhere.
/mz
Cool stuff, btw: it also works for guessing sites visited while in
Private Browsing.
Cesar.
On 12/2/2011 9:09 PM, Michal Zalewski wrote:
Not particularly exciting, but perhaps of some interest to the audiences here:
http://lcamtuf.coredump.cx/cachetime/
It's a fairly crude hack, so it will probably fail spectacularly in
some circumstances, but the bottom line is that you can probably do
high-performance, repeated cache timing. The most important trick here
is to abort navigation so that the requested URL never actually gets
requested and cached if not already in cache.
Cheers,
/mz
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Just for the record: I greatly improved the original Firefox version
(which now has a high success ratio according to the survey I added to
the page); and added experimental variants for MSIE, Chrome, and
Opera. Anyhow...
/mz