Deterministic Browser

Cao, Yinzhi; Chen, Zhanhao; Li, Song; Wu, S. David

doi:10.1145/3133956.3133996

Cited by 20 publications

(27 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Precise timers serve as a key building block for a variety of side-channel attacks and for this reason a number of stateof-the-art defenses specifically aim to remove the attackers' ability to construct them [9], [29], [44]. We will show that our GPU-based timers bypass such novel defenses.…”

Section: Gpu-based Attacksmentioning

confidence: 98%

“…To compromise the target system, we assume the attacker can only rely on microarchitectural attacks by harnessing the primitives provided by the GPU. We also assume a target system with all defenses up, including advanced research defenses (applicable to the ARM platform), which hamper reliable timing sources in the browser [9], [29] and protect kernel memory from Rowhammer attacks [8].…”

Section: Threat Modelmentioning

confidence: 99%

“…Recent work shows that these attacks are even possible through malicious JavaScript applications [7], [18], [20], [38], significantly increasing their real-world impact. To counter this threat, the research community has proposed a number of sophisticated defense mechanisms [8], [9], [29]. However, these defenses implicitly assume that the attacker's capabilities are limited to those of the main CPU cores.…”

Section: Introductionmentioning

confidence: 99%

“…Worse, attackers can unlock the latent power of GPUs even from JavaScript code running inside the browser, paving the way for a new and more powerful family of remote microarchitectural attacks. We demonstrate the potential of such attacks by bypassing state-of-the-art browser defenses [9], [29], [44] and presenting the first reliable GPU-based Rowhammer attack that compromises a browser on a phone in under two minutes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Frigo

Giuffrida

Bos

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

102

View full text Add to dashboard Cite

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to "accelerate" microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-toend microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

show abstract

Section: Gpu-based Attacksmentioning

confidence: 98%

Section: Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Frigo

Giuffrida

Bos

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

102

View full text Add to dashboard Cite

show abstract

“…At this point, the return instruction in step (5) returns from B to A and triggers the first misprediction. In step (6), N A more returns will be executed, all of them mispredicting B as the return target. The state of the RSB (shortened to N = 4) after each of these steps is also depicted in Figure 2.…”

Section: Webassembly-based Speculationmentioning

confidence: 99%

ret2spec

Maisuradze

Rossow

2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

140

View full text Add to dashboard Cite

Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied.In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based crossprocess attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80% accuracy on average.

show abstract