Researchers from the University of Michigan, the University of the Negev, and the University of Adelaide have discovered what appears to be the first browser-based side-channel attack built entirely from CSS and HTML.
The no-JavaScript attack has been found to work on most modern CPUs, including Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1. Interestingly, the results say that Apple's M1 and Samsung's Exynos chips can sometimes be more susceptible to these novel attacks.
At the outset, the researchers note that the common solution to prevent cache-based side-channel attacks across browsers is to "disable or restrict the JavaScript functions deemed essential to carry out the attacks," with the goal of finding out the effectiveness of this approach.
In their work, they were able to create a new browser-based side-channel attack consisting only of CSS and HTML that makes it "architecturally agnostic", opening the door to "microarchitectural website fingerprint attacks". This also means that disabling JavaScript will not prevent this type of attack.
"To evaluate the effectiveness of this approach, in this paper we try to identify the JavaScript features that are essential to carry out a cache-based attack. We develop a sequence of attacks with progressively decreasing dependency on JavaScript features, which culminates in the first browser-based side-channel attack that is built entirely from cascading style sheets (CSS) and HTML, and that works even when script execution is completely blocked."
Next, we demonstrate that bypassing JavaScript features makes our techniques architecturally agnostic, leading to microarchitectural webprint attacks that work on all hardware platforms, including Intel Core, AMD Ryzen, Samsung architectures. Exynos and Apple M1.
Although it seems that almost all architectures are susceptible to this attack newly discovered, the document says the new chips Apple Silicon M1 and Samsung Exynos " sometimes " are weaker than Intel CPUs in this case, possibly because of its design cache.
"Ironically, we show that our attacks are sometimes more effective on these new Apple and Samsung CPUs compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies."
Going further, the researchers found that the new attack worked to some extent even with hardened browsers such as Tor, Deter-Fox, and Chrome Zero. The document was released prior to publication to Apple, Intel, AMD, Chrome, and Mozilla. As for fixes, the researchers say that both software and hardware updates can resolve the vulnerability.
0 Comments