Still don't really understand how it works - I put the reddit logo into your local storage and it only took 20ms to take it out again instead of 50ms so therefore you have reddit open in another tab?
Attacking website periodically makes random reads from a large file in localStorage. Other tabs and websites open have Javascript running that periodically performs operations that will result in SSD traffic. For example, GMail has a certain polling interval to check for new mail, and each request is going to result in a cache write that makes the SSD busy and delays other conflicting IO operations. Reddit checks for new chat messages. Large memory-heavy websites get paged out of RAM.
The pattern of IO operations that a website makes creates a fingerprint of interference with the IO ops that the attacking website is doing, showing up as differing amounts of latency as the SSD is periodically busy. This fingerprint can then be reconstructed to a specific website by training a CNN on it, basically using a neural net to classify a certain pattern of delays to the IO ops that other websites are doing.
In theory it makes sense, but it seems very noisy. Anything that makes absolutely zero requests or IO operations in the background (like say HN, or most old-school text sites) wouldn't show up, and would be indistinguishable from any other zero-request site. And having other sources of IOps on the same computer - say you're running an Ethereum client that's perpetually updating the blockchain, or you're downloading a bunch of torrents, or you've got DropBox and it's syncing your directory - would introduce noise that throws off the classifier.
Usually side channels get way stronger when exploited cooperatively. Think ad scripts embedded on multiple sites communicating with each other across tracking protection and other sandboxes, for example.
That’s timing the cache, that’s old stuff by know. As I understand, this writes a relatively large file („Gigabytes“) using this OPFS api, which is different from the „localStorage“ api.
This seems to use actual filesystem storage on the client, instead of living completely in memory (which may be reasonable given the size of files supported). This allows to actually time SSD IOPS latency by doing random reads.
Collected enough of these samples, together with the information of what else runs on the host, put that in the ML-Blender and the result will be able to tell you, with some accuracy, from a given set of samples, what’s running on the host.
I am sure i misunderstood some things because there are so many caches and unknowns in that setup that I struggle to understand how there could be any correlation, but that’s my understanding so far.
Wait, wait, wait: browsers allow websites to store junk on my drive? They take up gigabytes of memory and still write to disk on top of this? Without even asking whether the site can use local storage?
Years and years back when laptops still had HDDs, I had a script to put the Firefox profile &c on a ramdisk and sync it on reboots so that it didn't spin up the drive constantly. I guess I should have kept doing it.
Browsers have an absolute insane level of relatively unchecked permissions to do whatever they want on a client.
There's a lot of effort by browser developers to scope creep the browser into essentially being an OS-agnostic tech stack (one where, conveniently, code can be shipped across the network "as necessary", removing a lot of user agency for the software being ran); Chrome being the biggest driver of this, while Firefox has an extremely weak spine in trying to limit it.
It's fairly dire and I wouldn't be surprised if there's a lot more of these side channel attacks in a lot of web APIs.
My shortcut for launching "clean" Chromium session is `chromium --user-data-dir=$(mktemp -d)` -- each launch creates a new transient profile directory under /tmp, which is itself a RAM disk. Persistent settings are achieved by setting system-wide defaults in /etc/chromium, including using system-wide managed policy JSON.
> Wait, wait, wait: browsers allow websites to store junk on my drive?
Technically even a cookie is junk on your drive
> Without even asking whether the site can use local storage?
Would it be practical to ask permission for every site you visit? It would be better to periodically check the size of your home folder (where the browser profiles normally reside)
The funny part is that "put your browser profile on a ramdisk" used to sound like an obsessive performance tweak, and now it starts to look like a privacy mitigation
I’m skeptical of these side channel attacks that rely on training a neural network on specific controlled scenarios on controlled hardware. I believe that with enough time and effort and the perfect circumstances where the user is only visiting their website and doing one other thing that the network was trained on it can match.
It does not seem useful as a general purpose side channel vector.
It should be fairly easy to mitigate no? Simply add random access times. Localstorage doesn't need to be that fast. More generally I find it very annoying how much browsers allow by default (javascript, localstorage, gpu access etc.) - there's only a very limited amount of websites I want to be able to run gpu accelerated shaders.
I'm surprised their 1GB file wasn't cached entirely in RAM during the attack, eliminating the SSD from any timing. Do people keep their machines that heavily loaded that a file being constantly read from doesn't stay in the cache?
Why would it be a new way? Tracking via timing have always existed, you can also know browsing history of someone with some DNS trick, nothing really new, article is misleading with "new way", it's literally possible since a decade.
Why is everything like this? One must do backflips to thwart these attempts at surveillance. I am getting pretty tired of it and about to go full Stallman
Remember when the web was (almost) all static content and all browsers had to do was show it to you? When applications were native? We really need to go back.
40 comments
[ 2.6 ms ] story [ 60.8 ms ] threadAttacking website periodically makes random reads from a large file in localStorage. Other tabs and websites open have Javascript running that periodically performs operations that will result in SSD traffic. For example, GMail has a certain polling interval to check for new mail, and each request is going to result in a cache write that makes the SSD busy and delays other conflicting IO operations. Reddit checks for new chat messages. Large memory-heavy websites get paged out of RAM.
The pattern of IO operations that a website makes creates a fingerprint of interference with the IO ops that the attacking website is doing, showing up as differing amounts of latency as the SSD is periodically busy. This fingerprint can then be reconstructed to a specific website by training a CNN on it, basically using a neural net to classify a certain pattern of delays to the IO ops that other websites are doing.
In theory it makes sense, but it seems very noisy. Anything that makes absolutely zero requests or IO operations in the background (like say HN, or most old-school text sites) wouldn't show up, and would be indistinguishable from any other zero-request site. And having other sources of IOps on the same computer - say you're running an Ethereum client that's perpetually updating the blockchain, or you're downloading a bunch of torrents, or you've got DropBox and it's syncing your directory - would introduce noise that throws off the classifier.
Collected enough of these samples, together with the information of what else runs on the host, put that in the ML-Blender and the result will be able to tell you, with some accuracy, from a given set of samples, what’s running on the host.
I am sure i misunderstood some things because there are so many caches and unknowns in that setup that I struggle to understand how there could be any correlation, but that’s my understanding so far.
Years and years back when laptops still had HDDs, I had a script to put the Firefox profile &c on a ramdisk and sync it on reboots so that it didn't spin up the drive constantly. I guess I should have kept doing it.
It's a sad day when Arch users are right (again) https://wiki.archlinux.org/title/Firefox/Profile_on_RAM
There's a lot of effort by browser developers to scope creep the browser into essentially being an OS-agnostic tech stack (one where, conveniently, code can be shipped across the network "as necessary", removing a lot of user agency for the software being ran); Chrome being the biggest driver of this, while Firefox has an extremely weak spine in trying to limit it.
It's fairly dire and I wouldn't be surprised if there's a lot more of these side channel attacks in a lot of web APIs.
Technically even a cookie is junk on your drive
> Without even asking whether the site can use local storage?
Would it be practical to ask permission for every site you visit? It would be better to periodically check the size of your home folder (where the browser profiles normally reside)
It does not seem useful as a general purpose side channel vector.
Not really joking here.
https://hannesweissteiner.com/
https://hannesweissteiner.com/publications/frost/
I enjoyed his C Programming books for dummies series.
Damn, even Meta have joined the dark side?
Why do browsers need to do this? Feels like an edge case need, at best, that was likely just a cover for some power Google wanted to exploit.
Because every time they open up, the site gives them the F̶R̶O̶S̶T̶ cold shoulder.