Opened 4 years ago

Last modified 23 months ago

#17412 new defect

High-precision timestamps in JS

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-time-highres
Cc: lhansen@…, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Methods for high-precision timestamps in JavaScript are discussed here:

https://github.com/lars-t-hansen/ecmascript_sharedmem/issues/1

What sort of countermeasures could we introduce? Perhaps we will need to disable SharedArrayBuffers in Tor Browser?

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by lhansen

For the original shared memory issue (high-precision timer obtained by counting in shared memory), you could disable SharedArrayBuffer - this is easy, and unless shared memory becomes widely used it will impact few users. (However it's possible shared memory will become widely used simply because it creates a high-bandwidth communication channel between the main thread and a worker.)

Another solution that is discussed in that ticket is to manipulate the workers' thread affinity so that all workers are run on the same OS thread as the tab's main thread. Since Firefox multiplexes a single thread across all tabs, this amounts to running all workers on the main thread as well (but preemptively). As an even more elaborate countermeasure, it's probable that the thread affinity could be manipulated like that only for workers that receive a shared memory object - that's probably the sweet spot.

Note however that there are other problems brought up in that thread - there's a report (unconfirmed so far) that Web Audio provides access to (racy) shared memory that could be used in the same way, and several of us have tried to construct high-resolution timers from low-resolution timers, with varying success. Adding jitter to the high-resolution timers such as performance.now in addition to reducing its resolution will probably be a good start.

comment:2 in reply to:  1 ; Changed 4 years ago by gk

Replying to lhansen:

Adding jitter to the high-resolution timers such as performance.now in addition to reducing its resolution will probably be a good start.

That's already done by us in #1517. Note, however that this does not seem to be enough. We have #16110 for the remaining issues. I wonder if we should just dupe this one over to to it.

comment:3 Changed 4 years ago by gk

Cc: gk added
Keywords: tbb-fingerprinting-time-highres added

comment:4 in reply to:  2 Changed 4 years ago by lhansen

Replying to gk:

Replying to lhansen:

Adding jitter to the high-resolution timers such as performance.now in addition to reducing its resolution will probably be a good start.

That's already done by us in #1517. Note, however that this does not seem to be enough. We have #16110 for the remaining issues.

Ah, helpful. Thanks.

I wonder if we should just dupe this one over to to it.

I've no direct opinion on that but want to point out that the "clocks" created by counting in shared memory probably need not depend on any kind of actual time source, at least not for some kinds of attacks, and so will need a separate kind of mitigation, as discussed above.

comment:5 Changed 23 months ago by cypherpunks

shared memory counter (SMC), relies on an experimental feature that allows for sharing of memory between JavaScript’s web workers. SMC builds a high-resolution counter that can be used to reliably implement AnC in all the browsers that implement it.

http://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf

Note: See TracTickets for help on using tickets.