More Web Proxy on the site http://driver.im/

research-article

Cross-origin pixel stealing: timing attacks using CSS filters

Authors:

Robert Kotcher,

Collin JacksonAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 1055 - 1062

https://doi.org/10.1145/2508859.2516712

Published: 04 November 2013 Publication History

Abstract

Timing attacks rely on systems taking varying amounts of time to process different input values. This is usually the result of either conditional branching in code or differences in input size. Using CSS default filters, we have discovered a variety of timing attacks that work in multiple browsers and devices. The first attack exploits differences in time taken to render various DOM trees. This knowledge can be used to determine boolean values such as whether or not a user has an account with a particular website. Second, we introduce pixel stealing. Pixel stealing attacks can be used to sniff user history and read text tokens.

References

[1]

Adobe. Css shaders. http://www.adobe.com/devnet/html5/articles/css-shaders.html.

[2]

A. Barth. Adam barth's proposal. http://www.schemehostport.com/2011/12/timing-attacks-on-css-shaders.html.

[3]

A. Barth, C. Jackson, C. Reis, and T. Team. The security architecture of the chromium browser, 2008.

[4]

A. Bortz and D. Boneh. Exposing private information by timing web applications. In Proceedings of the 16th international conference on World Wide Web, pages 621--628. ACM, 2007.

Digital Library

[5]

Chromium. Gpu command buffer. http://www.chromium.org/developers/design-documents/gpu-command-buffer.

[6]

Chromium. Graphics and skia. http://www.chromium.org/developers/design-documents/graphics-and-skia.

[7]

Carnegie Mellon University. Spatial data structures. http://www.cs.cmu.edu/afs/cs/academic/class/15462-f12/www/lec_slides/lec13.pdf.

[8]

R. Crawfis. Mozilla window.requestanimationframe. https://developer.mozilla.org/en-US/docs/DOM/window.requestAnimationFrame.

[9]

A. Deveria. Can i use css filter effects? http://caniuse.com/css-filters.

[10]

E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In Proceedings of the 7th ACM conference on Computer and communications security, pages 25--32. ACM, 2000.

Digital Library

[11]

HTML5Rocks. Catch-all for html5 rocks website. http://updates.html5rocks.com.

[12]

R. Hudea, R. Cabanier, and V. Hardy. enriching the web with css filters.

[13]

C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th international conference on World Wide Web, pages 737--744. ACM, 2006.

Digital Library

[14]

P. C. Kocher. Timing attacks on implementations of diffe-hellman, rsa, dss, and other systems. In Advances in Cryptology|CRYPTO'96, pages 104--113. Springer, 1996.

Digital Library

[15]

V. Kokkevis. Gpu accelerated compositing in chrome. http://www.chromium.org/developers/design-documents/gpu-accelerated-compositing-in-chrome.

[16]

I. LiTH. Painter's algorithm. http://www.computer-graphics.se/TSBK07-files/PDF12/6b.pdf.

[17]

P. Stone. Pixel perfect timing attacks with html5. http://www.contextis.com/files/Browser_Timing_Attacks.pdf.

[18]

W3. Css shader proposal. https://dvcs.w3.org/hg/FXTF/raw-file/tip/custom/index.html.

[19]

W3. Shader security. http://www.w3.org/Graphics/fx/wiki/CSS_Shaders_Security.

[20]

Webkit. Accelerated rendering and compositing. http://trac.webkit.org/wiki/Accelerated%20rendering%20and%20compositing.

[21]

Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 147--161. IEEE, 2011.

Digital Library

[22]

S. White. Accelerated css filters landed in chromium. http://blog.chromium.org/2012/06/accelerated-css-filters-landed-in.html.

Cited By

Wang YPaccagnella RGang ZVasquez WKohlbrenner DShacham HFletcher C(2024)GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00084(3716-3734)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00084
Taneja HKim JXu JVan Schaik SGenkin DYarom YCalandrino JTroncoso C(2023)Hot pixelsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620588(6275-6292)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620588
Ma CWu DTan GKandemir MZhang D(2023)Quantifying and Mitigating Cache Side Channel Leakage with Differential SetProceedings of the ACM on Programming Languages10.1145/36228507:OOPSLA2(1470-1498)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622850
Show More Cited By

Index Terms

Cross-origin pixel stealing: timing attacks using CSS filters

Recommendations

Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...
Countermeasures for timing-based side-channel attacks against shared, modern computing hardware

There are several vulnerabilities in computing systems hardware that can be exploited by attackers to carry out devastating microarchitectural timing-based side-channel attacks against these systems and as a result compromise the security of the users of ...
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
1,127
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)7

Reflects downloads up to 19 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang YPaccagnella RGang ZVasquez WKohlbrenner DShacham HFletcher C(2024)GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00084(3716-3734)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00084
Taneja HKim JXu JVan Schaik SGenkin DYarom YCalandrino JTroncoso C(2023)Hot pixelsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620588(6275-6292)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620588
Ma CWu DTan GKandemir MZhang D(2023)Quantifying and Mitigating Cache Side Channel Leakage with Differential SetProceedings of the ACM on Programming Languages10.1145/36228507:OOPSLA2(1470-1498)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622850
Wang YPaccagnella RWandke AGang ZGarrett-Grossman GFletcher CKohlbrenner DShacham H(2023)DVFS Frequently Leaks Secrets: Hertzbleed Attacks Beyond SIKE, Cryptography, and CPU-Only Data2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179326(2306-2320)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179326
Spriet ALime DRoux O(2023)Timed Non-interference Under Partial Observability and Bounded MemoryFormal Modeling and Analysis of Timed Systems10.1007/978-3-031-42626-1_8(122-137)Online publication date: 29-Aug-2023
https://doi.org/10.1007/978-3-031-42626-1_8
Cohen YTharayil KHaenel AGenkin DKeromytis AOren YYarom YYin HStavrou ACremers CShi E(2022)HammerScopeProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560688(547-561)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560688
Arcile JAndré É(2022)Timed Automata as a Formalism for Expressing Security: A Survey on Theory and PracticeACM Computing Surveys10.1145/353496755:6(1-36)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3534967
André ÉLime DMarinho DSun J(2022)Guaranteeing Timed Opacity using Parametric Timed Model CheckingACM Transactions on Software Engineering and Methodology10.1145/350285131:4(1-36)Online publication date: 8-Sep-2022
https://dl.acm.org/doi/10.1145/3502851
Ma HTian JGao DJia C(2022)On the Effectiveness of Using Graphics Interrupt as a Side Channel for User Behavior SnoopingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.309115919:5(3257-3270)Online publication date: 1-Sep-2022
https://doi.org/10.1109/TDSC.2021.3091159
Jin ZKong ZChen SDuan H(2022)Timing-Based Browsing Privacy Vulnerabilities Via Site Isolation2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833710(1525-1539)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833710
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents