Trusted Browsers for Uncertain Times

Transcription

1 Trusted Browsers for Uncertain Times David Kohlbrenner and Hovav Shacham UC San Diego

2 Building a browser that can provably mitigate timing attacks

3 Trusted Browsers for Uncertain Times Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

4 Timing attacks Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

5 Browsers and timing attacks Browser has multiple privilege levels Browsers expose detailed information User secrets System secrets Origin secrets performance.now() getanimationframe() Browsers compute and communicate between levels

6 Timing attacks in web browsers SVG Filter cross-origin pixel stealing JavaScript cache timing attacks Fingerprinting History Sniffing

7 What is being done about it? - SVG attack

8 What is being done about it? - Cache attack

9 What is being done about it? - Cache attack

10 Unfortunately, this doesn t work.

11 Better clocks with edges Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

12 Rounding down the clock

13 Clock-edge technique

14 Clock-edge technique - performance.now()

15 Clock-edge technique - performance.now()

16 Implicit clocks in the browser Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

17 Implicit clocks - Techniques <video> frames Web Speech <video> played settimeout() CSS Animations WebVTT API XHRs with cooperating server

18 Implicit clocks - Techniques <video> frames Web Speech <video> played settimeout() CSS Animations WebVTT API XHRs with cooperating server Probably many many more!

19 Implicit clocks - WebVTT Subtitles for <video> elements Specified in a.vtt file WEBVTT 00:00: > 00:00: A very short duration subtitle Specifies arbitrary subtitles with 1ms granularity track.activecues returns all displayed subtitles

20 Implicit clocks - WebVTT

21 Implicit clocks - WebVTT and clock-edge

22 How to mitigate timing attacks Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

23 Degrade all clocks available to the attacker.

24 Fuzzy time for the VAX security kernel [A] collection of techniques that reduces the bandwidths of covert timing channels by making all clocks available to a process noisy. Reducing Timing Channels with Fuzzy Time Hu at Oakland 1991!

25 Covert channels Two clocks Modulated The channel Reference Wall clock, etc

26 Fuzzy time for the VAX security kernel VAX VMM Single thread per VM Clean VM interface All I/O is asynchronous

27 Fuzzy time - Problem Ineffective countermeasures to disk covert channel Cannot be closed Not auditable Added noise impractical No hardware solution Plenty of other potential shared buses

28 Fuzzy time - Solution reduce the accuracy and precision of system clocks randomly alter the timings of I/O operations

29 Fuzzy time - Solution Explicit clocks make the interval-timer interrupt random

30 Fuzzy time - Solution Explicit clocks make the interval-timer interrupt random

31 Fuzzy time - Solution Explicit clocks make the interval-timer interrupt random Implicit clocks [use] random clock ticks to make fuzzy the clocks derived from I/O operations Add new buffers for all I/O operations

32 Fuzzy time - Solution guarantees Degraded clocks Time granularity Limit the bandwidth g Bounded channel bandwidth For any timing covert channel ~

33 Fuzzy time - I/O queuing Currently queued Active Active Active Next queue Response queue

34 Fuzzy time - I/O queuing Currently queued Active Active Active Next queue Response queue

35 Fuzzy time - I/O queuing Currently queued Active Active Active Next queue Response queue

36 Fuzzy time - I/O queuing Response queue Currently queued Active Active Next queue

37 Fuzzy time - I/O queuing Response queue Currently queued Active Next queue

38 Fuzzy time - I/O queuing Response queue Currently queued Active Active Next queue Active

39 Fuzzy time - I/O queuing Response queue Currently queued Active Active Next queue Active

40 Fuzzy time - I/O queuing Response queue Currently queued Active Active Next queue Active

41 Fuzzy time - I/O queuing Response queue Currently queued Active Active Next queue Active

42 Fermata Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

43 Fermata - Why adapt fuzzy time? Degrade clocks Slow down attacks Verifiability Browsers are uniquely well suited

44 Fermata - Fuzzy time for browsers Adapt the VAX fuzzy time model to JS etc! Put all I/O operations into queues Make all the explicit clocks fuzzy Prove everything falls into a fuzzy time defense th t! i w ip t Bu Scr va a J

45 Fermata - Fuzzy time for browsers Adapt the VAX fuzzy time model to JS etc! Put all I/O operations into queues Make all the explicit clocks fuzzy Prove everything falls into a fuzzy time defense Change all DOM accesses to be asynchronous! th t! i w ip t Bu Scr va a J

46 Fuzzyfox Rationale and design Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

47 Why we didn t build Fermata 1. We didn t know if it would work 2. We didn t know what to start with 3. We want to push mitigations to real browsers

48 Fuzzyfox Patch set on trunk Mozilla Firefox Supports multiple clock granularities Tested 0.5ms to 100ms Fully fuzzes explicit clocks Breaks main thread into ticks Delays outgoing HTTP request start

49 Fuzzyfox - Main thread queuing Current queue Next queue

50 Fuzzyfox - Main thread queuing Current queue Active Next queue

51 Fuzzyfox - Main thread queuing Current queue Active Next queue

52 Fuzzyfox - Main thread queuing Current queue Active Next queue

53 Fuzzyfox - Main thread queuing Current queue Active Pause Next queue

54 Fuzzyfox - Main thread queuing Current queue Active Next queue Pause

55 Fuzzyfox - Main thread queuing Current queue Active Pause

56 Fuzzyfox - Main thread queuing Current queue Active Pause

57 Fuzzyfox - Main thread queuing Current queue Active Pause

58 Fuzzyfox - Main thread queuing Current queue Pause

59 Fuzzyfox - Main thread queuing Current queue Pause Pause

60 Fuzzyfox - Main thread queuing Current queue Pause Active Pause

61 Fuzzyfox - Main thread queuing Current queue Pause Active Pause

62 Fuzzyfox - Main thread queuing Queue 1 Pause Queue 2 Active Pause Queue 3

63 Fuzzyfox - Main thread queuing Current queue Epoch Pause Active Epoch Pause Epoch

64 Fuzzyfox - Main thread queuing Current queue Epoch Pause Active Epoch Pause Epoch

65 Fuzzyfox - Main thread queuing Sleep Update clocks Flush queues Schedule next pause Current queue Epoch Pause Active Epoch Pause Epoch

66 Fuzzyfox Effectiveness Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

67 Fuzzyfox - Effectiveness - Explicit - performance.now() Firefox Fuzzyfox

68 Fuzzyfox - Effectiveness - Implicit - WebVTT clock Firefox Fuzzyfox

69 Fuzzyfox Performance Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

70 Fuzzyfox - Performance Micro performance Macro performance Synthetic microbenchmark page load times Real website load times Interactivity User study

71 Fuzzyfox - Performance Micro performance Macro performance Synthetic microbenchmark page load times Real website load times Interactivity User study

72 Fuzzyfox - Performance - Micro benchmarks Page load times As reported by onload() Measured effects of Sequential resource loads Parallel resource loads

73 Fuzzyfox - Performance - Sequential loads

74 Fuzzyfox - Performance vs Tor Browser

75 Takeaways Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

76 Timing attacks Rounding clocks doesn t work Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

77 Fuzzy time Secure operating systems tech Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

78 Fermata A different design for the browser Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

79 Fuzzyfox Defenses that can work and that we can deploy Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

80 Takeaways This material is based upon work supported by the National Science Foundation and by a gift from Mozilla. We thank Kyle Huey, Patrick McManus, Eric Rescorla, and Martin Thomson at Mozilla for helpful discussions about this work, and for sharing their insights with us about Firefox internals. Time and web browsers Mitigating attacks A trusted browser A (less) trusted browser

81 Fuzzyfox - Effectiveness - Explicit - performance.now() Firefox Fuzzyfox

82 Fuzzyfox - Effectiveness - Implicit - WebVTT clock Firefox Fuzzyfox

83 Performance - Micro benchmarks - Sequential loads

84 Performance - Micro benchmarks - Tor Browser

85 Performance - Load times* - Google search