ABSTRACT
In this paper we examine the use of covert channels based on CPU load in order to achieve persistent user identification through browser sessions. In particular, we demonstrate that an HTML5 video, a GIF image, or CSS animations on a webpage can be used to force the CPU to produce a sequence of distinct load levels, even without JavaScript or any client-side code.
These load levels can be then captured either by another browsing session, running on the same or a different browser in parallel to the browsing session we want to identify, or by a malicious app installed on the device. To get a good estimation of the CPU load caused by the target session, the receiver can observe system statistics about CPU activity (app), or constantly measure time it takes to execute a known code segment (app and browser). Furthermore, for mobile devices we propose a sensor-based approach to estimate the CPU load, based on exploiting disturbances of the magnetometer sensor data caused by the high CPU activity.
Captured loads can be decoded and translated into an identifying bit string, which is transmitted back to the attacker. Due to the way loads are produced, these methods are applicable even in highly restrictive browsers, such as the Tor Browser, and run unnoticeably to the end user. Therefore, unlike existing ways of web tracking, our methods circumvent most of the existing countermeasures, as they store the identifying information outside the browsing session being targeted.
Finally, we also thoroughly evaluate and assess each presented method of generating and receiving the signal, and provide an overview of potential countermeasures.
- Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 674--689. Google ScholarDigital Library
- Ahmed Al-Haiqi, Mahamod Ismail, and Rosdiadee Nordin. 2014. A New Sensors-Based Covert Channel on Android. The Scientific World Journal 2014 (2014), 1--14.Google ScholarCross Ref
- D. Arp, E. Quiring, C. Wressnegger, and K. Rieck. 2017. Privacy Threats through Ultrasonic Side Channels on Mobile Devices. In 2017 IEEE European Symposium on Security and Privacy (EuroS P). 35--47.Google Scholar
- Mika Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. 2011. Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning. SSRN Electronic Journal (2011).Google Scholar
- RH Barker. 1953. Group synchronizing of binary digital systems. Communication theory (1953), 273--287.Google Scholar
- H. Bojinov, Y. Michalevsky, G. Nakibly, and D. Boneh. 2014. Mobile Device Identification via Sensor Fingerprinting. ArXiv e-prints (Aug. 2014). arXiv:cs.CR/1408.1416Google Scholar
- Swarup Chandra, Zhiqiang Lin, Ashish Kundu, and Latifur Khan. 2015. Towards a Systematic Study of the Covert Channel Attacks in Smartphones. In International Conference on Security and Privacy in Communication Networks, Jing Tian, Jiwu Jing, and Mudhakar Srivatsa (Eds.). Springer International Publishing, Cham, 427--435.Google ScholarCross Ref
- Anupam Das, Nikita Borisov, and Matthew Caesar. 2014. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 441--452. Google ScholarDigital Library
- Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. In Proceedings of the 2014 Network and Distributed System Security Symposium. Internet Society.Google ScholarCross Ref
- Peter Eckersley. 2010. How Unique Is Your Web Browser?. In Privacy Enhancing Technologies, Mikhail J. Atallah and Nicholas J. Hopper (Eds.). Springer-Verlag, Berlin, Heidelberg, 1--18. Google ScholarDigital Library
- Ragib Hasan, Nitesh Saxena, Tzipora Haleviz, Shams Zawoad, and Dustin Rinehart. 2013. Sensing-enabled Channels for Hard-to-detect Command and Control of Mobile Devices. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS '13). ACM, New York, NY, USA, 469--480. Google ScholarDigital Library
- H. Hotelling. 1933. Analysis of a complex of statistical variables into principal components. Journal of Educational Psychology 24, 6 (1933), 417--441.Google ScholarCross Ref
- Samy Kamkar. 2010. Evercookie: virtually irrevocable persistent cookies. Retrieved 01.02.2018 from https://samy.pl/evercookie/Google Scholar
- P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (Jan. 2018). arXiv:cs.CR/1801.01203Google Scholar
- P. Laperdrix, W. Rudametkin, and B. Baudry. 2016. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In 2016 IEEE Symposium on Security and Privacy (SP). 878--894.Google Scholar
- Paul Lawrence. 2017. Seccomp filter in Android O. https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html {Accessed: 01.02.2018}.Google Scholar
- Paul Lewis and Sam Thorogood. 2017. Animations and Performance. Retrieved 01.02.2018 from https://developers.google.com/web/fundamentals/design-and-ui/animations/animations-and-performanceGoogle Scholar
- Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun. 2012. Analysis of the Communication Between Colluding Applications on Modern Smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12). ACM, New York, NY, USA, 51--60. Google ScholarDigital Library
- N. Matyunin, J. Szefer, S. Biedermann, and S. Katzenbeisser. 2016. Covert channels using mobile device's magnetic field sensors. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC). 525--532.Google Scholar
- Microsoft Edge Team. 2018. Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer. Retrieved 01.02.2018 from https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/#pfB3kzxgGMzILirt.97Google Scholar
- Mozilla Firefox development team. 2016. CSS and JavaScript animation performance. Retrieved 01.02.2018 from https://developer.mozilla.org/en-US/Apps/Fundamentals/Performance/CSS_JavaScript_animation_performanceGoogle Scholar
- Ed Novak, Yutao Tang, Zijiang Hao, Qun Li, and Yifan Zhang. 2015. Physical Media Covert Channels on Smart Mobile Devices. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '15). ACM, New York, NY, USA, 367--378. Google ScholarDigital Library
- Keisuke Okamura and Yoshihiro Oyama. 2010. Load-based Covert Channels Between Xen Virtual Machines. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC '10). ACM, New York, NY, USA, 173--180. Google ScholarDigital Library
- Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. 2015. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and Their Implications. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 1406--1418. Google ScholarDigital Library
- Mike Perry, Erinn Clark, and Steven Murdoch. 2015. The design and implementation of the Tor browser {draft}. Retrieved 01.02.2018 from https://www.torproject.org/projects/torbrowser/design/Google Scholar
- Michael Rushanan, David Russell, and Aviel D. Rubin. 2016. MalloryWorker: Stealthy Computation and Covert Channels Using Web Workers. In Security and Trust Management, Gilles Barthe, Evangelos Markatos, and Pierangela Samarati (Eds.). Springer International Publishing, Cham, 196--211.Google Scholar
- Roman Schlegel, Kehuan Zhang, Xiao-yong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang. 2011. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones.. In Proceedings of the 2011 Network and Distributed System Security Symposium. Internet Society, 17--33.Google Scholar
- Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. 2017. Fantastic Timers and Where to Find Them: High-Re solution Microarchitectural Attacks in JavaScript. In Financial Cryptography and Data Security, Aggelos Kiayias (Ed.). Springer International Publishing, Cham, 247--267.Google Scholar
- Shalamov, Alexander and Pozdnyakov, Mikhail. 2017. Sensors For The Web! Retrieved 01.02.2018 from https://developers.google.com/web/updates/2017/09/sensors-for-the-webGoogle Scholar
- Laurent Simon, Wenduan Xu, and Ross Anderson. 2016. Don't Interrupt Me While I Type: Inferring Text Entered Through Gesture Typing on Android Keyboards. Proceedings on Privacy Enhancing Technologies 2016, 3 (jan 2016).Google ScholarCross Ref
- Alexander Timin. 2017. Chrome Platform Status: Intervention: Throttle expensive background timers. Retrieved 01.02.2018 from https://www.chromestatus.com/feature/6172836527865856Google Scholar
- Alexander Timin. 2017. Reducing power consumption for background tabs. Retrieved 01.02.2018 from https://blog.chromium.org/2017/03/reducing-power-consumption-for.htmlGoogle Scholar
- Tor browser bundle team. 2016. Tor bug tracker, 18273: CSS animations provide high resolution timer. Retrieved 01.02.2018 from https://trac.torproject.org/projects/tor/ticket/16110Google Scholar
- R. Turyn and J. Storer. 1961. On binary sequences. Proc. Amer. Math. Soc. 12, 3 (mar 1961), 394--394.Google ScholarCross Ref
- R. Upathilake, Y. Li, and A. Matrawy. 2015. A classification of web browser fingerprinting techniques. In 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). 1--5.Google Scholar
- Luke Wagner. 2018. Mitigations landing for new class of timing attack. Retrieved 01.02.2018 from https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/Google Scholar
- Ethan White. 2016. CPU Correlation Attacks. Retrieved 01.02.2018 from https://ethanwhite.xyz/cpu-correlationGoogle Scholar
Index Terms
- Tracking Private Browsing Sessions using CPU-based Covert Channels
Recommendations
A solution for the automated detection of clickjacking attacks
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications SecurityClickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all)...
The Next Generation Web: Technologies and Services
Big Data AnalyticsAbstractTim Berners-Lee, invented the World Wide Web (WWW) or Web in short in 1989. The Web became so popular that for many, it is synonymous with the Internet or simply the Net. There were many flavors of the original Web like Web 2.0, Web 3.0, etc. All ...
XML3D: interactive 3D graphics for the web
Web3D '10: Proceedings of the 15th International Conference on Web 3D TechnologyWeb technologies provide the basis to distribute digital information worldwide and in realtime but they have also established the Web as a ubiquitous application platform. The Web evolved from simple text data to include advanced layout, images, audio, ...
Comments