practical memory deduplication attacks in sandboxed …page deduplication not only a problem in the...
TRANSCRIPT
www.iaik.tugraz.at
PracticalMemory Deduplication Attacksin Sandboxed JavaScriptDaniel Gruss, David Bidner, and Stefan MangardIAIK, Graz University of Technology
September 23, 2015
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20151
www.iaik.tugraz.at
Overview
Page deduplication not only a problem in the cloud
Can be used to eavesdrop on browser usage
The first page deduplication attack,
in sandboxed JavaScript,
on personal computers and smartphones,
through malicious websites.
Large scale remote attacks possible
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20152
www.iaik.tugraz.at
Overview
Page deduplication not only a problem in the cloud
Can be used to eavesdrop on browser usage
The first page deduplication attack,
in sandboxed JavaScript,
on personal computers and smartphones,
through malicious websites.
Large scale remote attacks possible
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20152
www.iaik.tugraz.at
Overview
Page deduplication not only a problem in the cloud
Can be used to eavesdrop on browser usage
The first page deduplication attack,
in sandboxed JavaScript,
on personal computers and smartphones,
through malicious websites.
Large scale remote attacks possible
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20152
www.iaik.tugraz.at
Copy-on-Write
Virtual Address Space
Physical Address Space
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address Space
Physical Address Space
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
fork
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
Process B tries to write
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
Process B tries to write
copy
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Copy-on-Write
Virtual Address SpaceProcess A
Physical Address Space
Process B
write
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20153
www.iaik.tugraz.at
Write vs. Copy-on-Write
Regular write access < 0.2µs
Write access with copy-on-write pagefault > 3.0µs
Clearly distinguishable
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20154
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Processes startedindependently
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
Done!
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Virtual Address SpaceProcess A
Physical Address Space
Process B
DeduplicationThread
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20155
www.iaik.tugraz.at
Page Deduplication
Deduplication between processes:
1. in same OS instance (Android, Windows)2. in different VMs (KVM, VMWare, ...)
Code pages, data pages - even kernel pages
Time until deduplication 2-45 minutes
depends on system configuration
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20156
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
Attacker generatesa page suspected
in process B
BenignProcess B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
Attacker waitsfor deduplication
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
Attacker waitsfor deduplication
t = time();p[0] = p[0];∆ = time() - t;
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
=
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
write and measure ∆
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
write and measure ∆
copy
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
write
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceAttackerProcess A
Physical Address Space
BenignProcess B
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20157
www.iaik.tugraz.at
What can be attacked?
Existing Attacks:
Detect binary versions in co-located VMs
Detect downloaded image in Firefox under certainconditions
→ Attacks on hypervisors
Native code only
Suzaki et. al. 2011, Owens et. al. 2011, Xiao et. al.2012, 2013
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20158
www.iaik.tugraz.at
What can be attacked?
Our Contribution:
Detect CSS files and images of opened websites
Chrome, Firefox and Internet Explorer
Perform the attack in JavaScript
→ Attacks on KVM, Windows 8.1 and Android
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 20159
www.iaik.tugraz.at
Attacking Browsers
Images and CSS files are page-aligned in memory
Load them into memory for all websites of interest
Detect deduplication
→ Malicious ad networks: alternative to tracking pixels?
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201510
www.iaik.tugraz.at
Detect Image (Native, Cross-VM, KVM)
500 1,000 1,500 2,000 2,500 3,000 3,500100
101
102
103
104
105
Page
Cyc
les
Image not loaded Image loaded
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201511
www.iaik.tugraz.at
Challenges of JavaScript-based attacks
No cycle counting (rdtsc)
No access to virtual addresses
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201512
www.iaik.tugraz.at
Page Deduplication Attacks in JavaScript
Only require microsecond accuracy
performance.now() is accurate enoughCan even work with millisecond accuracy
Accumulate time differenceOnly possible with enough image/CSS data
Large typed arrays are allocated page-aligned
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201513
www.iaik.tugraz.at
Detect Image (JavaScript, Cross-VM, KVM)
500 1,000 1,500 2,000 2,500 3,000 3,500102
103
104
105
Page
Nan
osec
onds
Image not loaded Image loaded
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201514
www.iaik.tugraz.at
Detect Image (JavaScript, Windows 8.1)
50 100 150 200 250 300 350 400 450 500102
103
104
105
Page
Nan
osec
onds
Image not loaded Image loaded
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201515
www.iaik.tugraz.at
Detect Image (JavaScript, Android 4.4.4)
50 100 150 200 250 300 350 400 450 500102
103
104
105
Page
Nan
osec
onds
Image not loaded Image loaded
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201516
www.iaik.tugraz.at
Detection of Open Websites
Attacker chosen set of websites
Load website images and CSS files into arrays
Served image and CSS files depend on:Browser, OS, resolution, etc.
→ Reuse HTTP headers of system under attack
Reduce noise by measuring write accesses to severalpages
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201517
www.iaik.tugraz.at
Detection of Open Websites
Compare with:
zero pages (always deduplicated)random pages (never deduplicated)
Top 10 websites:Amazon, Baidu, Facebook, Google, QQ, Taobao,Twitter, Wikipedia, Yahoo, Youtube
Examples for different platforms
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201518
www.iaik.tugraz.at
Example: JavaScript, Cross-VM, KVM
Rando
mPag
es
Zero pa
ges
AmazonBaid
u
Face
book
Google QQ
Taob
ao
Twitte
r
Wiki
pedia
Yaho
o
Youtu
be0
2,000
4,000
6,000
8,000
78
6,781
6,061
170 60 148
5,626
57 39 148
6,642
100
Nan
osec
onds
Open Websites: Amazon, QQ, YahooDaniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201519
www.iaik.tugraz.at
Example: JavaScript, Windows 8.1
Rando
mPag
es
Zero pa
ges
AmazonBaid
u
Face
book
Google QQ
Taob
ao
Twitte
r
Wiki
pedia
Yaho
o
Youtu
be0
1,000
2,000
3,000
285
1,976
468
2,775
312
1,536
396 306 285
1,762
2,114
370Nan
osec
onds
Open Websites: Baidu, Google, Wikipedia, YahooDaniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201520
www.iaik.tugraz.at
Example: JavaScript, Android 4.4.4
Rando
mPag
es
Zero pa
ges
AmazonBaid
u
Face
book
Google QQ
Taob
ao
Twitte
r
Wiki
pedia
Yaho
o
Youtu
be0
2,000
4,000
6,000
8,000
703
7,875
7271,286
857
4,3754,200
682 833 730 905
7,875
Nan
osec
onds
Open Websites: Google, QQ, YoutubeDaniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201521
www.iaik.tugraz.at
Countermeasures
JavaScript:
Reduce timer accuracy?
Prevent page-aligned arrays?
Website diversification?
Prevent control over full pages
Every n-th byte not part of JavaScript array
Generic:
Disable page deduplication (for writable pages)
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201522
www.iaik.tugraz.at
Countermeasures
JavaScript:
Reduce timer accuracy?
Prevent page-aligned arrays?
Website diversification?
Prevent control over full pages
Every n-th byte not part of JavaScript array
Generic:
Disable page deduplication (for writable pages)
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201522
www.iaik.tugraz.at
Conclusion
Page deduplication not only a problem on IaaS clouds
→ Privacy issue on personal computers andsmartphones
Remote attacks through malicious websites
Same code for all platforms → large scale attacks
Disable page deduplication if possible
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201523
www.iaik.tugraz.at
PracticalMemory Deduplication Attacksin Sandboxed JavaScriptDaniel Gruss, David Bidner, and Stefan MangardIAIK, Graz University of Technology
September 23, 2015
Daniel Gruss, IAIK, Graz University of TechnologySeptember 23, 201524