In Search of Lost Time: A Review of JavaScript Timers in Browsers
2021-07-07, 15:20–15:55 (Europe/Paris), Zoom room

JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion.

In this presentation, we present the evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago.

This research was done in collaboration with Clémentine Maurice and Pierre Laperdrix, and was published at the EuroS&P 2021 conference.

Variations of computation time can reveal information about the state of a system. Research has uncovered a variety of side and covert channels, allowing potential attackers to extract secrets or track user behavior. Timing attacks can aim at different components of the microarchitecture, e.g., cache, DRAM, and are purely software-based. These attacks have two common prerequisites: they run code on the victim's hardware, and they rely on high-resolution timers that can distinguish small timing variations in the order of 100ns. Most of the timing attacks are implemented in native code, allowing the attacker to have great control over the memory and cycle-accurate timers.

In contrast, JavaScript is a high-level object-oriented interpreted scripting language, following the ECMAscript standard. Contrary to native code, it is much easier to run JavaScript code on a victim's system as it is a major component of the web, used by billions of people everyday. Almost all websites use JavaScript to execute code on the client side and by visiting a page, a client can download and execute dozens of different scripts. For security purposes, JavaScript code runs inside a sandboxed environment, restricting access to local files, virtual or physical memory addresses and native instructions. These restrictions make it harder to implement microarchitectural attacks. However, fully JavaScript-based timings attacks, running entirely in the browser, were implemented, bypassing the sandbox restrictions. These attacks include cache attacks, attacks on shared software resources, and even transient execution attacks like Spectre.

To try and mitigate JavaScript-based timing attacks, browser vendors have developed countermeasures, specifically targeting timers. Notably, they decreased the resolution of timers to make them less precise and introduced jitter to add noise in measurements. Other security features like site isolation were added to reinforce the security of browsers and act as a novel line of defense against timing attacks. After the publication of such countermeasures, browser vendors reallowed access to high resolution timers. Amid all these changes, it can be hard to keep track of all the different evolutions that browsers underwent. Particularly, it is unclear how the attacks described in the literature are impacted by current countermeasures.

In this presentation, we will introduce the various ways to create high resolution timers in JavaScript. Then, we will present the major classes of browser-based timing attacks, followed by the browser-based countermeasures. Finally, we will evaluate the efficiency of the evolution of countermeasures in the later releases of Firefox and Chrome.

I'm a french PhD Student in IRISA Rennes, in the SPICY team. I currently work on micro-architectural attacks, particularly based on JavaScript.