Trusted Browsers for Uncertain Times

JavaScript in one origin can use timing channels in browsers to learn sensitive information about a user’s interaction with other origins, violating the browser’s compartmentalization guarantees. Browser vendors have attempted to close timing channels by trying to rewrite sensitive code to run in constant time and by reducing the resolution of reference clocks. We argue that these ad-hoc efforts are unlikely to succeed. We show techniques that increase the effective resolution of degraded clocks by two orders of magnitude, and we present and evaluate multiple, new implicit clocks: techniques by which JavaScript can time events without consulting an explicit clock at all. We show how “fuzzy time” ideas in the trusted operating systems literature can be adapted to building trusted browsers, degrading all clocks and reducing the bandwidth of all timing channels. We describe the design of a next-generation browser, called Fermata, in which all timing sources are completely mediated. As a proof of feasibility, we present Fuzzyfox, a fork of the Firefox browser that implements many of the Fermata principles within the constraints of today’s browser architecture. We show that Fuzzyfox achieves sufficient compatibility and performance for deployment today by privacysensitive users.

[1]  Bryan Ford,et al.  Plugging Side-Channel Leaks with Timing Information Flow Control , 2012, HotCloud.

[2]  Wei-Ming Hu Reducing Timing Channels with Fuzzy Time , 1992, J. Comput. Secur..

[3]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[4]  Peng Li,et al.  StopWatch: A Cloud Architecture for Timing Channel Mitigation , 2014, TSEC.

[5]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[6]  Gerald J. Popek,et al.  Verifiable secure operating system software , 1974, AFIPS '74.

[7]  James W. Gray On introducing noise into the bus-contention channel , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  James W. Gray,et al.  Countermeasures and tradeoffs for a class of covert timing channels , 1994 .

[9]  Simha Sethumadhavan,et al.  TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[10]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[11]  Mary Ellen Zurko,et al.  A VMM security kernel for the VAX architecture , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[13]  Liang Gu,et al.  Warding off timing attacks in Deterland , 2015, ArXiv.

[14]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Trent Jaeger,et al.  Lessons from VAX/SVS for High-Assurance VM Systems , 2012, IEEE Security & Privacy.

[16]  Gernot Heiser,et al.  The Last Mile: An Empirical Study of Timing Channels on seL4 , 2014, CCS.

[17]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[18]  Hovav Shacham,et al.  Eliminating fine grained timers in Xen , 2011, CCSW '11.

[19]  Ramakrishna Gummadi,et al.  Determinating timing channels in compute clouds , 2010, CCSW '10.

[20]  James W. Gray,et al.  On analyzing the bus-contention channel under fuzzy time , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[21]  Sorin Lerner,et al.  On Subnormal Floating Point and Abnormal Timing , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Peng Li,et al.  Mitigating access-driven timing channels in clouds using StopWatch , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[23]  Jonathan T. Trostle,et al.  Modelling a fuzzy time system , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.