Loophole: Timing Attacks on Shared Event Loops in Chrome

November 22, 2016

Pepe Vila


Loophole: Timing Attacks on Shared Event Loops in Chrome

Time:   11:00am
Location:   Lecture hall 1, level B

Event-driven programming (EDP) is the prevalent paradigm for graphical user interfaces, web clients, and it is rapidly gaining importance for server-side and network programming. Central components of EDP are event loops, which act as FIFO queues that are used by processes to store and dispatch messages received from other processes. In this talk we demonstrate that shared event loops are vulnerable to side-channel attacks, where a spy process monitors the loop usage pattern of other processes by enqueueing events and measuring the time it takes for them to be dispatched. Specifically, we exhibit attacks against two central event loops in Google’s Chrome web browser: that of the I/O thread of the host process, which multiplexes all network events and user actions, and that of the main thread of the renderer processes, which handles rendering and Javascript tasks. For each of these event loops, we demonstrate how the usage pattern can be monitored with high resolution and low overhead, and we show how the extracted information can be leveraged for (1) identifying a web page during the loading phase (where we achieve recognition rates of up to 65% among 500 main pages from Alexa’s Top sites), for (2) implementing cross origin covert channels (where we achieve transmission rates of up to 200 bit/s), and for (3) visually identifying user behavior such as mouse movements or keystrokes.