A Study of Timing Side-Channel Attacks and Countermeasures on JavaScript and WebAssembly

Mazaheri, Mohammad Erfan; Bayat Sarmadi, Siavash; Taheri Ardakani, Farhad

doi:10.22042/isecure.2021.263565.599

A Study of Timing Side-Channel Attacks and Countermeasures on JavaScript and WebAssembly

Document Type : Research Article

Authors

Mohammad Erfan Mazaheri

Siavash Bayat Sarmadi

Farhad Taheri Ardakani

Sharif University of Technology, Department of Computer Engineering, Tehran, Islamic Republic of Iran.

https://doi.org/10.22042/isecure.2021.263565.599

Abstract

Side-channel attacks are a group of powerful attacks in hardware security that exploit the deficiencies in the implementation of systems. Timing side-channel attacks are one of the main side-channel attack categories that use the time difference of running an operation in different states. Many powerful attacks can be classified into this type of attack, including cache attacks. The limitation of these attacks is the need to run the spy program on the victim's system. Various studies have tried to overcome this limitation by implementing these attacks remotely on JavaScript and WebAssembly. This paper provides the first comprehensive evaluation of timing side-channel attacks on JavaScript and investigates challenges and countermeasures to overcome these attacks. Moreover, by investigating the countermeasures and their strengths and weaknesses, we introduce a detection-based approach, called Lurking Eyes. Our approach has the least reduction in the performance of JavaScript and WebAssembly. The evaluation results show that the Lurking eyes have an accuracy of 0.998, precision of 0.983, and F-measure of 0.983. Considering these values and no limitations, this method can be introduced as an effective way to counter timing side-channel attacks on JavaScript and WebAssembly. Also, we provide a new accurate timer, named Eagle timer, based on WebAssembly memory for implementing these attacks.

Keywords

Timing Side-Channel Attacks

JavaScript

WebAssembly

Malicious Code Detection

Timers

20.1001.1.20082045.2022.14.1.3.3

[1] Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: the case of aes. In RSA, pages 1–20. Springer, 2006.
[2] Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. Last-level cache sidechannel attacks are practical. In IEEE, pages 605–622. IEEE, 2015.
[3] Yuval Yarom and Katrina Falkner. Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In USENIX, pages 719–732, 2014.
[4] Daniel Gruss, David Bidner, and Stefan Mangard. Practical memory deduplication attacks in sandboxed javascript. In ESRCS, pages 108–122. Springer, 2015.
[5] Yossef Oren, Vasileios P Kemerlis, Simha Sethumadhavan, and Angelos D Keromytis. The spy in the sandbox: Practical cache attacks in javascript and their implications. In CCS, pages 1406–1418, 2015.
[6] Daniel Gruss, Cl´ementine Maurice, and Stefan Mangard. Rowhammer. js: A remote softwareinduced fault attack in javascript. In DIMVA pages 300–321. Springer, 2016.
[7] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. Spectre attacks: Exploiting speculative execution. In IEEE, pages 1–19. IEEE, 2019.
[8] Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. Aslr on the line: Practical cache attacks on the mmu. In NDSS, volume 17, page 26, 2017.
[9] Michael Schwarz, Cl´ementine Maurice, Daniel Gruss, and Stefan Mangard. Fantastic timers and where to find them: High-resolution microarchitectural attacks in javascript. In FCDS, pages 247–267. Springer, 2017.
[10] Michael Schwarz, Moritz Lipp, Daniel Gruss, Samuel Weiser, Cl´ementine Maurice, Raphael Spreitzer, and Stefan Mangard. Keydrown: Eliminating software-based keystroke timing sidechannel attacks. 2018.
[11] David Kohlbrenner and Hovav Shacham. Trusted browsers for uncertain times. In USENIX, pages 463–480, 2016.
[12] Pepe Vila and Boris K¨opf. Loophole: Timing attacks on shared event loops in chrome. In USENIX, pages 849–864, 2017.
[13] Michael Schwarz, Moritz Lipp, and Daniel Gruss. Javascript zero: Real javascript and zero sidechannel attacks. In NDSS, 2018.
[14] Mohammad Erfan Mazaheri, Farhad Taheri, and Siavash Bayat Sarmadi. Lurking eyes: A method to detect side-channel attacks on javascript and webassembly. In ISCISC, pages 1–6. IEEE, 2020.
[15] David A Patterson and John L Hennessy. Computer organization and design MIPS edition: the hardware/software interface. Newnes, 2013.
[16] Gorka Irazoqui Apecechea, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. Fine grain cross-vm attacks on xen and vmware are possible! IACR, 2014:248, 2014.
[17] Alan Jay Smith. Cache memories. CSUR, 14(3):473–530, 1982.
[18] Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. Dedup est machina: Memory deduplication as an advanced exploitation vector. In IEEE, pages 987–1004. IEEE, 2016.
[19] Jo˜ao Paulo and Jos´e Pereira. A survey and classification of storage deduplication systems. CSUR, 47(1):11, 2014.
[20] Jidong Xiao, Zhang Xu, Hai Huang, and Haining Wang. Security implications of memory deduplication in a virtualized environment. In DSN, pages 1–12. IEEE, 2013.
[21] David Flanagan. JavaScript: the definitive guide. ” O’Reilly Media, Inc.”, 2006.
[22] Robin Nixon. Learning PHP, MySQL, JavaScript, and CSS: A step-by-step guide to creating dynamic websites. ” O’Reilly Media, Inc.”, 2012.
[23] jsinfo. js information. https://Javascript.com/info, 2019. Accessed: Aug. 2019.
[24] Mozilla. javascript info. https://developer.mozilla.org/enUS/docs/web/javascript, 2019. Accessed: Aug. 2019.
[25] Mozilla. ArrayBuffer. https://developer.mozilla.org/enUS/docs/Web/JavaScript/Reference, 2020. Accessed: Nov. 2020.
[26] Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CC, pages 388–397. Springer, 1999.
[27] Paul C Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In CC, pages 104–113. Springer, 1996.
[28] Suresh Chari, Josyula R Rao, and Pankaj Rohatgi. Template attacks. In CHES, pages 13–28. Springer, 2002.
[29] Yinqian Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. Cross-vm side channels and their use to extract private keys. In CCS, pages 305–316. ACM, 2012.
[30] Yinqian Zhang, Ari Juels, Alina Oprea, and Michael K Reiter. Homealone: Co-residency detection in the cloud via side-channel analysis. In IEEE, pages 313–328. IEEE, 2011.
[31] Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. CE, 8(1):1–27, 2018.
[32] Michael Schwarz, Florian Lackner, and Daniel Gruss. Javascript template attacks: Automatically inferring host information for targeted exploits. In NDSS, 2019.
[33] Moritz Lipp, Daniel Gruss, Michael Schwarz, David Bidner, Cl´ementine Maurice, and Stefan Mangard. Practical keystroke timing attacks in sandboxed javascript. In ESRCS, pages 191–209. Springer, 2017.
[34] Daniel Genkin, Lev Pachmanov, Eran Tromer, and Yuval Yarom. Drive-by key-extraction cache attacks from portable code. In ICACNS, pages 83–102. Springer, 2018.
[35] Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Grand pwning unit: Accelerating microarchitectural attacks with the gpu. In IEEE, pages 195–210. IEEE, 2018.
[36] Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, and Yuval Yarom. Robust website fingerprinting through the cache occupancy channel. In USENIX, pages 639–656, 2019.
[37] Colin Percival. Cache missing for fun and profit, 2005.
[38] David Gullasch, Endre Bangerter, and Stephan Krenn. Cache games–bringing access-based cache attacks on aes to practice. In SSP, pages 490–505. IEEE, 2011.
[39] Daniel Gruss, Cl´ementine Maurice, Klaus Wagner, and Stefan Mangard. Flush+ flush: a fast and stealthy cache attack. In DIMVA, pages 279–299. Springer, 2016.
[40] Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. Cache template attacks: Automating attacks on inclusive last-level caches. In USENIX, pages 897–912, 2015.
[41] Billy Bob Brumley and Risto M Hakala. Cachetiming template attacks. In TACIS, pages 667–684. Springer, 2009.
[42] Eran Tromer, Dag Arne Osvik, and Adi Shamir. Efficient cache attacks on aes, and countermeasures. Journal of Cryptology, 23(1):37–71, 2010.
[43] Onur Acıi¸cmez, Werner Schindler, and C¸ etin K Ko¸c. Cache based remote timing attack on the aes. In RSA, pages 271–286. Springer, 2007.
[44] Onur Acii¸cmez. Yet another microarchitectural attack:: Exploiting i-cache. In CSA, pages 11–18. ACM, 2007.
[45] Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get off of my cloud: exploring information leakage in thirdparty compute clouds. In CCS, pages 199–212. ACM, 2009.
[46] Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. {STEALTHMEM}: System-level protection against cache-based side channel attacks in the cloud. In USENIX, pages 189–204, 2012.
[47] Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. S $ a: A shared cache attack that works across cores and defies vm sandboxing–and its application to aes. In SSP, pages 591–604. IEEE, 2015.
[48] Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. Wait a minute! a fast, cross-vm attack on aes. In RAID, pages 299–319. Springer, 2014.
[49] Mehmet Kayaalp, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Aamer Jaleel. A high-resolution side-channel attack on last-level cache. In ADAC, page 72. ACM, 2016.
[50] Gorka Irazoqui and Xiaofei Guo. Cache side channel attack: Exploitability and countermeasures. Black Hat Asia, 2017(3), 2017.
[51] Cl´ementine Maurice, Christoph Neumann, Olivier Heen, and Aur´elien Francillon. C5: crosscores cache covert channel. In DIMVA, pages 46–64. Springer, 2015.
[52] Ferdinand Brasser, Urs M¨uller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. Software grand exposure:{SGX} cache attacks are practical. In USENIX, 2017.
[53] Shahid Anwar, Zakira Inayat, Mohamad Fadli Zolkipli, Jasni Mohamad Zain, Abdullah Gani, Nor Badrul Anuar, Muhammad Khurram Khan, and Victor Chang. Cross-vm cache-based side channel attacks and proposed prevention mechanisms: A survey. NCA, 93:259–279, 2017.
[54] Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. Cross processor cache attacks. In CCS, pages 353–364. ACM, 2016.
[55] Peter Pessl, Daniel Gruss, Cl´ementine Maurice, Michael Schwarz, and Stefan Mangard. {DRAMA}: Exploiting {DRAM} addressing for cross-cpu attacks. In USENIX, pages 565–581, 2016.
[56] Michael Schwarz, Martin Schwarzl, Moritz Lipp, and Daniel Gruss. Netspectre: Read arbitrary memory over network. arXiv, 2018.
[57] Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. Sgxpectre attacks: Stealing intel secrets from sgx enclaves via speculative execution. arXiv, 2018.
[58] Giorgi Maisuradze and Christian Rossow. Speculose: Analyzing the security implications of speculative execution in cpus. arXiv, 2018.
[59] Dan Boneh, Richard A DeMillo, and Richard J Lipton. On the importance of checking cryptographic protocols for faults. In TACT, pages 37–51. Springer, 1997.
[60] Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In CC, pages 513–525. Springer, 1997.
[61] Gilles Piret and Jean-Jacques Quisquater. A differential fault attack technique against spn structures, with application to the aes and khazad. In CHES, pages 77–88. Springer, 2003.
[62] Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. In SIGARCH CAN, volume 42, pages 361–372. IEEE Press, 2014.
[63] Mark Seaborn and Thomas Dullien. Exploiting the dram rowhammer bug to gain kernel privileges. Black Hat, 15, 2015.
[64] Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. One bit flips, one cloud flops: Cross-vm row hammer attacks and privilege escalation. In USENIX, pages 19–35, 2016.

[65] Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. Sgx-bomb: Locking down the processor via rowhammer attack. In SSTE, page 5. ACM, 2017.
[66] Ralf Hund, Carsten Willems, and Thorsten Holz. Practical timing side channel attacks against kernel space aslr. In 2013 IEEE Symposium on Security and Privacy, pages 191–205. IEEE, 2013.
[67] Kuniyasu Suzaki, Kengo Iijima, Toshiki Yagi, and Cyrille Artho. Memory deduplication as a threat to the guest os. In SS, page 1. ACM, 2011.
[68] Rodney Owens and Weichao Wang. Noninteractive os fingerprinting through memory deduplication technique in virtual machines. In IPCCC, pages 1–8. IEEE, 2011.
[69] Tom Van Goethem, Wouter Joosen, and Nick Nikiforakis. The clock is still ticking: Timing attacks in the modern web. In CCS, pages 1382–1393, 2015.
[70] Robert Martin, John Demme, and Simha Sethumadhavan. Timewarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. SIGARCH, 40(3):118–129, 2012.
[71] Deian Stefan, Pablo Buiras, Edward Z Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazi`eres. Eliminating cache-based timing attacks with instruction-based scheduling. In ESRCS, pages 718–735. Springer, 2013.
[72] Michael Schwarz, Moritz Lipp, Daniel Gruss, Samuel Weiser, Cl´ementine Maurice, Raphael Spreitzer, and Stefan Mangard. Keydrown: Eliminating software-based keystroke timing sidechannel attacks. In NDSSS. Internet Society, 2018.
[73] Zhi Wang, Xuxian Jiang, Weidong Cui, Xinyuan Wang, and Mike Grace. Reformat: Automatic reverse engineering of encrypted messages. In ESRCS, pages 200–215. Springer, 2009.
[74] Wei-Ming Hu. Reducing timing channels with fuzzy time. Journal of computer security, 1(3-4):233–254, 1992.
[75] Samira Briongos, Gorka Irazoqui, Pedro Malag´on, and Thomas Eisenbarth. Cacheshield: Detecting cache attacks through self-observation. In DASP, 2018.
[76] Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. Cloudradar: A real-time side-channel attack detection system in clouds. In RID. Springer, 2016.
[77] Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. Real time detection of cache-based sidechannel attacks using hardware performance counters. ASC, 2016.
[78] Maria Mushtaq, Ayaz Akram, Muhammad Khurram Bhatti, Maham Chaudhry, Vianney Lapotre, and Guy Gogniat. Nights-watch: A cache-based side-channel intrusion detector using hardware performance counters. In HASSP, 2018.
[79] Samuel Ndichu, Seiichi Ozawa, Takeshi Misu, and Kouichirou Okada. A machine learning approach to malicious javascript detection using fixed length vector representation. In IJCNN. IEEE, 2018.
[80] Samuel Ndichu, Sangwook Kim, Seiichi Ozawa, Takeshi Misu, and Kazuo Makishima. A machine learning approach to detection of javascriptbased attacks using ast features and paragraph vectors. ASP, 2019.
[81] Paruj Ratanaworabhan, V Benjamin Livshits, and Benjamin G Zorn. Nozzle: A defense against heap-spraying code injection attacks. In USENIX, 2009.
[82] Charles Curtsinger, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. Zozzle: Lowoverhead mostly static javascript malware detection. In USENIX, 2011.
[83] JM Howe and F Mereani. Detecting cross-site scripting attacks using machine learning. ISC, 2018.