Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Javascript Attack Lets Websites Spy On the CPU's Cache

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Bruce Upbin at Forbes reports on a new and insidious way for a malicious website to spy on a computer. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. The exploit, which the researchers are calling "the spy in the sandbox," is a form of side-channel attack. Side channel attacks were previously used to break into cars, steal encryption keys and ride the subway for free, but this is the first time they're targeted at innocent web users. The attack requires little in the way of cost or time on the part of the attacker; there's nothing to install and no need to break into hardened systems. All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker.

4 of 134 comments (clear)

  1. {yos | vpk | simha | angelos}@cs.columbia.edu by NotInHere · · Score: 3, Insightful

    What has become out of bash styled mail address combination?

  2. Re:all they have to do is lure them to a webpage by michelcolman · · Score: 3, Insightful

    Wow, it actually knows whether or not you moved the mouse, that's mega-hyper-dangerous! And the fact that you sent or received some unknown data over the network! Think of the possibilities!

    I know side channel attacks have been used to extract AES keys, but that's like saying you can use a miniature matchbox car to transport hundreds of people at 300 km/h because things with wheels have been demonstrated to be capable of doing that.

    The resolution of the detection system is cache lines, which are pretty big, and even though they are using system timers with nanosecond precision, actual sampling rate was a few hundred Hz. Good luck finding an AES key that way.

    The covert channel is the only example that might be useful in very extraordinary circumstances: if the required apps are running on two VMs on the same machine, they can send data from one VM to the other. But on the other hand, aren't there plenty of other ways to do that? If you've already lured them onto an infection website, chances are the VMs are... connected to the internet and able to communicate that way.

    So, unless I missed something, I don't think this is worth losing a lot of sleep over. Feel free to enlighten me if I'm wrong.

  3. Re:Immune? by scrib · · Score: 3, Insightful

    Considering what many websites consider "working" to be, "breaking" many sites IS the win.
    I use noscript all the time, easily whitelist the few sites I WANT to "work" and things work so much better.
    I get on a computer without noscript and I am astonished by all the cruft that passes for content. Use noscript for a week and you won't go back.

    --
    Help! Help! I'm being repressed!
  4. Re:Link to original paper by Anonymous Coward · · Score: 3, Insightful

    Hopefully you're aware by now that not all papers on arxiv have been peer reviewed.
    Linking to forbes instead of arxiv shows that important people are taking the paper seriously.

    Analogy time: There's no reason for anyone to bother reading one of the thousands of P vs NP proofs posted on arxiv, but we occasionally care when a famous CS prof says "shit, this might be right." When that happens, you'll see a link on slashdot to the professor's university page that links to the arxiv page. (Btw, so far they've all been wrong.)