TY - GEN
T1 - The clock is still ticking
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
AU - Van Goethem, Tom
AU - Joosen, Wouter
AU - Nikiforakis, Nick
N1 - Publisher Copyright: © 2015 ACM.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - Web-based timing attacks have been known for over a decade, and it has been shown that, under optimal network conditions, an adversary can use such an attack to obtain information on the state of a user in a cross-origin website. In recent years, desktop computers have given way to laptops and mobile devices, which are mostly connected over a wire-less or mobile network. These connections often do not meet the optimal conditions that are required to reliably perform cross-site timing attacks. In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user's state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms.
AB - Web-based timing attacks have been known for over a decade, and it has been shown that, under optimal network conditions, an adversary can use such an attack to obtain information on the state of a user in a cross-origin website. In recent years, desktop computers have given way to laptops and mobile devices, which are mostly connected over a wire-less or mobile network. These connections often do not meet the optimal conditions that are required to reliably perform cross-site timing attacks. In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user's state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms.
KW - Privacy
KW - Side-channel attacks
KW - Web-based attacks
UR - https://www.scopus.com/pages/publications/84954118576
U2 - 10.1145/2810103.2813632
DO - 10.1145/2810103.2813632
M3 - Conference contribution
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1382
EP - 1393
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 12 October 2015 through 16 October 2015
ER -