From bottom to top: Exploiting hardware side channels in web browsers

Transcription

1 From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France

2 Rennes Graz Clémentine Maurice PhD since October 2015 from Rennes, France now postdoc at TU Graz, Austria Secure Systems group + Secure Systems team: Daniel Gruss, Michael Schwarz, Peter Pessl 2

3 Introduction safe software infrastructure does not mean safe execution 3

4 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware 3

5 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware these vulnerabilities can also be exploited at a high level 3

6 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware these vulnerabilities can also be exploited at a high level like a web browser 3

7 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware these vulnerabilities can also be exploited at a high level like a web browser because JavaScript is nothing more than code executing on your machine :) 3

8 Outline 1. What are micro-architectural side channels? 4

9 Outline 1. What are micro-architectural side channels? 2. How can I use DRAM to create a covert channel? 4

10 Outline 1. What are micro-architectural side channels? 2. How can I use DRAM to create a covert channel? 3. How can I do that in JavaScript?! 4

11 Sources of leakage no bug in the sense of a mistake lots of performance optimizations 5

12 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks 5

13 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks 5

14 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks targeted attacks, physical access 5

15 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks targeted attacks, physical access via shared hardware and microarchitecture 5

16 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks targeted attacks, physical access via shared hardware and microarchitecture remote attacks 5

17 Shared hardware shared hardware memory CPU DRAM memory bus branch prediction unit arithmetic logic unit data and instruction cache 6

18 DRAM and side channels

19 DRAM organization 7

20 DRAM organization channel 0 channel 1 7

21 DRAM organization back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 7

22 DRAM organization back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 chip 7

23 DRAM organization bank 0 chip row 0 row 1 row 2... row row buffer 8

24 DRAM organization bank 0 chip row 0 row 1 row 2... row row buffer 64k cells 1 capacitor, 1 transitor each 8

25 DRAM row buffer DRAM internally is only capable of reading entire rows 9

26 DRAM row buffer DRAM internally is only capable of reading entire rows capacitors in cells discharge when you read the bits buffer the bits when reading them from the cells write the bits back to the cells when you re done 9

27 DRAM row buffer DRAM internally is only capable of reading entire rows capacitors in cells discharge when you read the bits buffer the bits when reading them from the cells write the bits back to the cells when you re done row buffer 9

28 How reading from DRAM works DRAM bank CPU wants to access row row buffer 10

29 How reading from DRAM works activate DRAM bank CPU wants to access row 1 row 1 activated row buffer 10

30 How reading from DRAM works DRAM bank CPU wants to access row 1 row 1 activated row 1 copied to row buffer copy row buffer 10

31 How reading from DRAM works return DRAM bank CPU wants to access row 1 row 1 activated row 1 copied to row buffer row buffer 10

32 How reading from DRAM works DRAM bank CPU wants to access row row buffer 10

33 How reading from DRAM works activate DRAM bank CPU wants to access row 2 row 2 activated row buffer 10

34 How reading from DRAM works DRAM bank CPU wants to access row 2 row 2 activated row 2 copied to row buffer copy row buffer 10

35 How reading from DRAM works return DRAM bank CPU wants to access row 2 row 2 activated row 2 copied to row buffer row buffer 10

36 How reading from DRAM works DRAM bank CPU wants to access row 2 row 2 activated row 2 copied to row buffer slow (row conflict) row buffer 10

37 How reading from DRAM works DRAM bank CPU wants to access row 2 again row buffer 10

38 How reading from DRAM works DRAM bank CPU wants to access row 2 again row 2 already in row buffer row buffer 10

39 How reading from DRAM works return DRAM bank CPU wants to access row 2 again row 2 already in row buffer row buffer 10

40 How reading from DRAM works DRAM bank CPU wants to access row 2 again row 2 already in row buffer fast (row hit) row buffer 10

41 How reading from DRAM works DRAM bank row buffer = cache row buffer 10

42 DRAM timing differences Cache hit Cache miss, row hit Cache miss, row conflict 10 7 Number of cases Access time [CPU cycles] 11

43 DRAM timing differences Cache hit Cache miss, row hit Cache miss, row conflict 10 7 Number of cases Access time [CPU cycles] 11

44 DRAM side channels? row buffers are caches 12

45 DRAM side channels? row buffers are caches we can observe timing differences 12

46 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? 12

47 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? target addresses in the same channel, rank and bank 12

48 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? target addresses in the same channel, rank and bank but DRAM mapping functions are undocumented 12

49 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? target addresses in the same channel, rank and bank but DRAM mapping functions are undocumented we reverse-engineered them! P. Pessl et al. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In: USENIX Security Symposium

50 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks 13

51 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs 13

52 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs covert channels and side-channel attacks 13

53 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs covert channels and side-channel attacks covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs 13

54 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs covert channels and side-channel attacks covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs side-channel attack: one malicious process spies on benign processes e.g., spies on keystrokes 13

55 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i row buffer 14

56 DRAMA covert channel activate DRAM bank... copy sender and receiver agree on one bank receiver continuously accesses a row i row 0 0 buffer

57 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits row 0 0 buffer

58 DRAMA covert channel activate DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits 1 sender accesses row j i copy row 0 0 buffer

59 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits 1 sender accesses row j i row 0 0 buffer

60 DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i activate... copy case #1: sender transmits 1 sender accesses row j i next receiver access copy row buffer row 0 0 buffer

61 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits 1 sender accesses row j i next receiver access copy row buffer slow row 0 0 buffer

62 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits row 0 0 buffer

63 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits 0 sender does nothing row 0 0 buffer

64 DRAMA covert channel activate DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits 0 sender does nothing next receiver access already in buffer row 0 0 buffer

65 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits 0 sender does nothing next receiver access already in buffer fast row 0 0 buffer

66 Two applications can covertly communicate with each other But can we use that for spying?

67 DRAMA side-channel attacks DRAM bank... spy and victim share a row i row buffer 16

68 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer row 0 0 buffer

69 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer victim accesses row i, copy to row buffer row 0 0 buffer

70 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer victim accesses row i, copy to row buffer spy accesses row i, no copy row 0 0 buffer

71 DRAMA side-channel attacks DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer victim accesses row i, copy to row buffer spy accesses row i, no copy fast row 0 0 buffer

72 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer row 0 0 buffer

73 DRAMA side-channel attacks DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer no victim access on row i row 0 0 buffer

74 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer no victim access on row i spy accesses row i, copy to row buffer row 0 0 buffer

75 DRAMA side-channel attacks DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer no victim access on row i spy accesses row i, copy to row buffer slow row 0 0 buffer

76 Spying on keystrokes on the Firefox URL bar side-channel: template attack allocate a large fraction of memory to be in a row with the victim profile memory and record row-hit ratio for each address 300 Access time w w w. f a c e b o o k. c o m Time in seconds 17

77 I m sure we ll need to write a lot of C code At least we re safe with JavaScript!

78 Member Rowhammer.js?

79 DRAM covert channels in JavaScript?

80 Why JavaScript? JavaScript is code executed in a sandbox 20

81 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? 20

82 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? except side channels are only doing benign operations 20

83 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? except side channels are only doing benign operations 1. accessing their own memory 20

84 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? except side channels are only doing benign operations 1. accessing their own memory 2. measuring time 20

85 Challenges with JavaScript 1. No knowledge about physical addresses 2. No instruction to flush the cache 3. No high-resolution timers 21

86 #1. No knowledge about physical addresses OS optimization: use Transparent Huge Pages (THP, 2MB pages) = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address 22

87 #1. No knowledge about physical addresses OS optimization: use Transparent Huge Pages (THP, 2MB pages) = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address which JS array indices? 22

88 #1. Obtaining the beginning of a THP Access time [ns] Array index [MB] physical pages for these THPs are mapped on-demand page fault when an allocated THP is accessed for the first time D. Gruss et al. Practical Memory Deduplication Attacks in Sandboxed JavaScript. In: ESORICS

89 #1. Choosing physical addresses we now know the last 21 bits of physical addresses enough for most systems, e.g., Sandy Bridge with DDR3 BA0 BA1 BA2 Rank Ch. 24

90 #2. No instruction to flush the cache CPU core CPU cache DRAM measure DRAM timing only non-cached accesses reach DRAM no clflush instruction evict data with other memory accesses 25

91 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

92 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

93 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

94 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

95 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

96 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

97 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

98 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

99 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

100 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses cache set it s a bit more complicated than that: replacement policy is not LRU D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

101 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses cache set it s a bit more complicated than that: replacement policy is not LRU but we already solved this problem before :) D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA

102 #3. High-resolution timers? measure small timing differences: need a high-resolution timer 27

103 #3. High-resolution timers? measure small timing differences: need a high-resolution timer native: rdtsc, timestamp in CPU cycles 27

104 #3. High-resolution timers? measure small timing differences: need a high-resolution timer native: rdtsc, timestamp in CPU cycles JavaScript: performance.now() has the highest resolution 27

105 #3. High-resolution timers? measure small timing differences: need a high-resolution timer native: rdtsc, timestamp in CPU cycles JavaScript: performance.now() has the highest resolution performance.now() [...] represent times as floating-point numbers with up to microsecond precision. Mozilla Developer Network 27

106 High-resolution timers in JavaScript

107 It was better before before September 2015: performance.now() had a nanosecond resolution Y. Oren et al. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In: CCS

108 It was better before before September 2015: performance.now() had a nanosecond resolution Oren et al. demonstrated cache side-channel attacks in JavaScript Y. Oren et al. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In: CCS

109 It was better before before September 2015: performance.now() had a nanosecond resolution Oren et al. demonstrated cache side-channel attacks in JavaScript fixed in Firefox 41: rounding to 5 µs Y. Oren et al. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In: CCS

110 Microsecond precision? Firefox < 41 (1 ns)

111 Microsecond precision? Edge 38 (1 µs) 1 Firefox < 41 (1 ns)

112 Microsecond precision? W3C standard (5 µs) 5 Edge 38 (1 µs) 1 Firefox < 41 (1 ns)

113 Microsecond precision? 0 0 Firefox 41/Chrome/Safari (5 µs) W3C standard (5 µs) 5 5 Edge 38 (1 µs) 1 Firefox < 41 (1 ns)

114 Microsecond precision? 0 Tor (100 ms) Firefox 41/Chrome/Safari (5 µs) W3C standard (5 µs) Edge 38 (1 µs) Firefox < 41 (1 ns)

115 Microsecond precision? Fuzzyfox (100 ms) Tor (100 ms) Firefox 41/Chrome/Safari (5 µs) W3C standard (5 µs) Edge 38 (1 µs) Firefox < 41 (1 ns) D. Kohlbrenner et al. Trusted Browsers for Uncertain Times. In: USENIX Security Symposium

116 We can do better! microsecond resolution is not enough M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC

117 We can do better! microsecond resolution is not enough two approaches M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC

118 We can do better! microsecond resolution is not enough two approaches 1. recover a higher resolution from the available timer M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC

119 We can do better! microsecond resolution is not enough two approaches 1. recover a higher resolution from the available timer 2. build our own high-resolution timer M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC

120 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks 31

121 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks 31

122 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks

123 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks

124 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution 31

125 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution start measurement at clock edge 31

126 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution start measurement at clock edge increment a variable until next clock edge 31

127 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution start measurement at clock edge increment a variable until next clock edge Firefox/Chrome: 500 ns, Tor: 15 µs 31

128 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer 32

129 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer 32

130 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer f slow f fast 32

131 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer f slow f fast Padding Padding padding so the slow function crosses one more clock edge than the fast one 32

132 Recovering resolution: Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified 33

133 Recovering resolution: Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified nanosecond resolution 33

134 Recovering resolution: Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified nanosecond resolution Firefox/Tor: 2 ns, Edge: 10 ns, Chrome: 15 ns 33

135 Building a timer goal: counter that does not block main thread 34

136 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) 34

137 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation increase width of element as fast as possible 34

138 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation increase width of element as fast as possible timestamp = width of element 34

139 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation increase width of element as fast as possible timestamp = width of element but animation limited to 60 fps 16 ms resolution 34

140 Building a timer: Web worker JavaScript can spawn new threads called web worker 35

141 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing 35

142 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing let worker count and request timestamp in main thread 35

143 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing let worker count and request timestamp in main thread possibilities: postmessage, MessageChannel or BroadcastChannel 35

144 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing let worker count and request timestamp in main thread possibilities: postmessage, MessageChannel or BroadcastChannel microsecond resolution (even on Tor and Fuzzyfox) 35

145 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer 36

146 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data 36

147 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data no message passing overhead 36

148 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data no message passing overhead one dedicated worker for incrementing the shared variable 36

149 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data no message passing overhead one dedicated worker for incrementing the shared variable Firefox/Fuzzyfox: 2 ns, Chrome: 15 ns 36

150 Building a timer: Is it good enough? cache hit cache miss Number of cases Access time [SharedArrayBuffer increments] 37

151 Building a timer: Is it good enough? cache hit cache miss Number of cases Access time [SharedArrayBuffer increments] we can distinguish cache hits from cache misses (only 150 cycles difference)! 37

152 Take-away 38

153 Bonus: What else can we do with this? idea is not new: Wray (1992) we also exploited it in other contexts on ARM inside an SGX enclave J. C. Wray. An analysis of covert timing channels. In: Journal of Computer Security (1992), pp M. Lipp et al. ARMageddon: Cache Attacks on Mobile Devices. In: USENIX Security Symposium M. Schwarz et al. Malware Guard Extension: Using SGX to Conceal Cache Attacks. In: DIMVA

154 DRAM covert channels in JavaScript!

155 Setup sender: native application in a VM 40

156 Setup sender: native application in a VM receiver: JavaScript in a web page on the host 40

157 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank 40

158 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank sender and receiver select a different row inside this bank 40

159 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank sender and receiver select a different row inside this bank sender transmits 0 by doing nothing and 1 by causing row conflict 40

160 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank sender and receiver select a different row inside this bank sender transmits 0 by doing nothing and 1 by causing row conflict receiver measures access time for its row: fast 0, slow 1 40

161 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data 41

162 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data packet starts with a 2-bit preamble 41

163 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data packet starts with a 2-bit preamble data integrity checked by an error-detection code 41

164 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data packet starts with a 2-bit preamble data integrity checked by an error-detection code sequence bit indicates whether it is a retransmission or a new packet 41

165 Evaluation transmission of approximately 11 bits/s 42

166 Evaluation transmission of approximately 11 bits/s can be improved using 42

167 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits 42

168 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits error correction 42

169 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits error correction multithreading multiple banks in parallel 42

170 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits error correction multithreading multiple banks in parallel native code: 596 kbit/s cross CPU and cross VM 42

171 DRAM side-channel attack

172 Conclusion

173 Conclusion information leaks because of the underlying hardware 44

174 Conclusion information leaks because of the underlying hardware vulnerabilities exploitable at the browser level 44

175 Conclusion information leaks because of the underlying hardware vulnerabilities exploitable at the browser level running arbitrary JavaScript allows building high-resolution timers 44

176 Conclusion information leaks because of the underlying hardware vulnerabilities exploitable at the browser level running arbitrary JavaScript allows building high-resolution timers hard to mitigate without reducing functionality 44

177 Thank you!

178 From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France