Pool-Party: Exploiting Browser Resource Pools as Side-Channels for Web Tracking

We identify a new class of side-channels in browsers that are not mitigated by current defenses. This class of sidechannels, which we call “pool-party” attacks, allow sites to create covert channels by manipulating limited-but-unpartitioned resource pools in browsers. We identify pool-party attacks in all popular browsers, and show they are practical cross-site tracking techniques. In this paper we make the following contributions: first, we describe pool-party side-channel attacks that exploit limits in application-layer resource pools in browsers. Second, we demonstrate that pool-party attacks are practical, and can be used to track users in all popular browsers; we also share open source implementations of the attack and evaluate them through a representative web crawl. Third, we show that in Gecko basedbrowsers (including the Tor Browser Bundle) pool-party attacks can also be used for cross-profile tracking (e.g., linking user behavior across normal and private browsing sessions). Last, we discuss possible mitigations and defenses.

[1]  Benoit Baudry,et al.  FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques , 2017, ESSoS.

[2]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[3]  Ningfei Wang,et al.  Rendered Private: Making GLSL Execution Uniform to Prevent WebGL-based Browser Fingerprinting , 2019, USENIX Security Symposium.

[4]  Nick Nikiforakis,et al.  XHOUND: Quantifying the Fingerprintability of Browser Extensions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  R Barreras,et al.  The leaking battery. , 1988, Journal of biological photography.

[6]  University of California,et al.  Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[7]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Shravan Narayan,et al.  Browser history re: visited , 2018, WOOT @ USENIX Security Symposium.

[9]  Chris Kanich,et al.  Browser Feature Usage on the Modern Web , 2016, Internet Measurement Conference.

[10]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[11]  Chris Kanich,et al.  Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security , 2017, CCS.

[12]  Alastair R. Beresford,et al.  SensorID: Sensor Calibration Fingerprinting for Smartphones , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[13]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Wouter Joosen,et al.  One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions , 2017, WOOT.

[15]  Shriram Krishnamurthi,et al.  Verifying Web Browser Extensions' Compliance with Private-Browsing Mode , 2013, ESORICS.

[16]  Stefan Mangard,et al.  Practical Keystroke Timing Attacks in Sandboxed JavaScript , 2017, ESORICS.

[17]  Paul F. Syverson,et al.  HSTS Supports Targeted Surveillance , 2018, FOCI @ USENIX Security Symposium.

[18]  Jörg Schwenk,et al.  XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers , 2021, CCS.

[19]  Hovav Shacham,et al.  On the effectiveness of mitigations against floating-point timing channels , 2017, USENIX Security Symposium.

[20]  Pepe Vila,et al.  Loophole: Timing Attacks on Shared Event Loops in Chrome , 2017, USENIX Security Symposium.

[21]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[22]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[23]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[24]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[25]  Stefan Mangard,et al.  Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript , 2017, Financial Cryptography.

[26]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[27]  Stefan Mangard,et al.  Practical Memory Deduplication Attacks in Sandboxed Javascript , 2015, ESORICS.

[28]  Artur Janc,et al.  Information Leaks via Safari's Intelligent Tracking Prevention , 2020, ArXiv.

[29]  Yang Wang,et al.  Private Browsing: an Inquiry on Usability and Privacy Protection , 2014, WPES.

[30]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[31]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[32]  Gildas Avoine,et al.  Browser Fingerprinting: A survey , 2019 .

[33]  Chris Kanich,et al.  Persistent Tracking in Modern Browsers , 2021 .

[34]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[35]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[36]  Deian Stefan,et al.  Towards Verified, Constant-time Floating Point Operations , 2018, CCS.

[37]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[38]  Benjamin Livshits,et al.  SugarCoat: Programmatically Generating Privacy-Preserving, Web-Compatible Resource Replacements for Content Blocking , 2021, CCS.