Opened 10 months ago

Last modified 9 months ago

#28621 new defect

Investigate "website fingerprinting through cache occupancy channel"

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: tom Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

See this paper:

https://arxiv.org/abs/1811.07153

Robust Website Fingerprinting Through the Cache Occupancy Channel
Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom
(Submitted on 17 Nov 2018)

Website fingerprinting attacks, which use statistical analysis on network traffic to compromise user privacy, have been shown to be effective even if the traffic is sent over anonymity-preserving networks such as Tor. The classical attack model used to evaluate website fingerprinting attacks assumes an on-path adversary, who can observe all traffic traveling between the user's computer and the Tor network. In this work we investigate these attacks under a different attack model, inwhich the adversary is capable of running a small amount of unprivileged code on the target user's computer. Under this model, the attacker can mount cache side-channel attacks, which exploit the effects of contention on the CPU's cache, to identify the website being browsed. In an important special case of this attack model, a JavaScript attack is launched when the target user visits a website controlled by the attacker. The effectiveness of this attack scenario has never been systematically analyzed,especially in the open-world model which assumes that the user is visiting a mix of both sensitive and non-sensitive sites. In this work we show that cache website fingerprinting attacks in JavaScript are highly feasible, even when they are run from highly restrictive environments, such as the Tor Browser .Specifically, we use machine learning techniques to classify traces of cache activity. Unlike prior works, which try to identify cache conflicts, our work measures the overall occupancy of the last-level cache. We show that our approach achieves high classification accuracy in both the open-world and the closed-world models. We further show that our techniques are resilient both to network-based defenses and to side-channel countermeasures introduced to modern browsers as a response to the Spectre attack.

Child Tickets

Change History (2)

comment:1 Changed 10 months ago by tom

Cc: tom added

comment:2 Changed 9 months ago by tom

I skimmed it. This one kind of sucks. There are no reasonable countermeasures. Page coloring looked interesting, but AFAICT that was an idea from the early 2000s that hasn't been revisited?

The 100ms resolution helps; but it isn't the complete answer (and I want to reduce it anyway if we can achieve the same security boundary using fuzzyfox.)

Maybe the answer is something more complicated? Degrading it dynamically (throttling) if we detect repeated calls and throw a permission prompt (with or without the doorhanger)?

Note: See TracTickets for help on using tickets.