More Web Proxy on the site http://driver.im/

research-article

Public Access

Deterministic Browser

Authors:

Shujiang WuAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 163 - 178

https://doi.org/10.1145/3133956.3133996

Published: 30 October 2017 Publication History

Abstract

Timing attacks have been a continuous threat to users' privacy in modern browsers. To mitigate such attacks, existing approaches, such as Tor Browser and Fermata, add jitters to the browser clock so that an attacker cannot accurately measure an event. However, such defenses only raise the bar for an attacker but do not fundamentally mitigate timing attacks, i.e., it just takes longer than previous to launch a timing attack. In this paper, we propose a novel approach, called deterministic browser, which can provably prevent timing attacks in modern browsers. Borrowing from Physics, we introduce several concepts, such as an observer and a reference frame. Specifically, a snippet of JavaScript, i.e., an observer in JavaScript reference frame, will always obtain the same, fixed timing information so that timing attacks are prevented; at contrast, a user, i.e., an oracle observer, will perceive the JavaScript differently and do not experience the performance slowdown. We have implemented a prototype called DeterFox and our evaluation shows that the prototype can defend against browser-related timing attacks.

Supplemental Material

MP4 File

Download
2808.61 MB

References

[1]

Amittai Aviram, Sen Hu, Bryan Ford, and Ramakrishna Gummadi. 2010. Determinating Timing Channels in Compute Clouds. Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop (CCSW '10). ACM, New York, NY, USA, 103--108. https://doi.org/10.1145/1866835.1866854

Digital Library

[2]

Michael Backes, Goran Doychev, and Boris Köpf. 2013. Preventing Side-Channel Leaks in Web Traffic: A Formal Approach 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24--27, 2013.

[3]

Andrew Bortz and Dan Boneh 2007. Exposing Private Information by Timing Web Applications Proceedings of the 16th International Conference on World Wide Web (WWW '07). ACM, New York, NY, USA, 621--628. https://doi.org/10.1145/1242572.1242656

Digital Library

[4]

Pablo Buiras, Amit Levy, Deian Stefan, Alejandro Russo, and David Mazieres 2013. A library for removing cache-based attacks in concurrent information flow systems International Symposium on Trustworthy Global Computing. Springer, 199--216.

[5]

Serdar Cabuk, Carla E. Brodley, and Clay Shields. 2004. IP Covert Timing Channels: Design and Detection. Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS '04). ACM, New York, NY, USA, 178--187. https://doi.org/10.1145/1030083.1030108

Digital Library

[6]

Yinzhi Cao, Xiang Pan, Yan Chen, and Jianwei Zhuge. 2014. JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC).

Digital Library

[7]

Ang Chen, W. Brad Moore, Hanjun Xiao, Andreas Haeberlen, Linh Thi Xuan Phan, Micah Sherr, and Wenchao Zhou 2014. Detecting Covert Timing Channels with Time-Deterministic Replay 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 541--554. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/chen_ang

[8]

Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. 2010. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE Computer Society, Washington, DC, USA, 191--206. https://doi.org/10.1109/SP.2010.20

Digital Library

[9]

Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang, Garth A. Gibson, and Randal E. Bryant. 2013. Parrot: a Practical Runtime for Deterministic, Stable, and Reliable Threads Proceedings of the 24th ACM Symposium on Operating Systems Principles (SOSP '13).

[10]

Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, and Junfeng Yang 2011. Efficient Deterministic Multithreading through Schedule Relaxation Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP '11). 337--351.

[11]

Heming Cui, Jingyue Wu, Chia-Che Tsai, and Junfeng Yang. 2010. Stable Deterministic Multithreading through Schedule Memoization Proceedings of the Ninth Symposium on Operating Systems Design and Implementation (OSDI '10).

[12]

Charlie Curtsinger, Benjamin Livshits, Benjamin Zorn, and Christian Seifert 2011. ZOZZLE: Fast and Precise In-browser JavaScript Malware Detection Proceedings of the 20th USENIX Conference on Security.

[13]

Edward W. Felten and Michael A. Schneider 2000. Timing Attacks on Web Privacy. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS '00). ACM, New York, NY, USA, 25--32. https://doi.org/10.1145/352600.352606

Digital Library

[14]

Steven Gianvecchio and Haining Wang 2007. Detecting covert timing channels: an entropy-based approach. ACM Conference on Computer and Communications Security (2008-02--22), bibfieldeditorPeng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson (Eds.). ACM, 307--316. http://dblp.uni-trier.de/db/conf/ccs/ccs2007.html#GianvecchioW07

Digital Library

[15]

Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida 2017. ASLR on the Line: Practical Cache Attacks on the MMU Annual Network and Distributed System Security Symposium (NDSS).

[16]

Wei-Ming Hu. 1992. Reducing Timing Channels with Fuzzy Time. Journal of Computer Security Vol. 1, 3--4 (May 1992), 233--254. 1145/2382196.2382230endthebibliography

Digital Library

Cited By

Bukhari SJanjua MQadir J(2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
https://doi.org/10.1109/OJCS.2024.3398794
Seonghun SDebopriya Roy DBerk G(2023)DefWeb: Defending User Privacy against Cache-based Website Fingerprinting Attacks with Intelligent Noise InjectionProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627191(379-393)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627191
Yu JLi SZhu JCao YMeng WJensen CCremers CKirda E(2023)CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract InterpretationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616584(2441-2455)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616584
Show More Cited By

Index Terms

Deterministic Browser
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Browser security

Recommendations

Browser‐in‐the‐middle attacks: A comprehensive analysis and countermeasures
Abstract
A browser‐in‐the‐middle (BITM) attack occurs when an attacker intercepts and manipulates communication between a user's web browser and the website they are attempting to visit. This approach is risky, as it allows the attacker to eavesdrop on ...
Lightweight server support for browser-based CSRF protection
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on ...
Timing attack on NoC-based systems

Many authors have shown how to break the AES cryptographic algorithm with side channel attacks; specially the timing attacks oriented to caches, like Prime+Probe. In this paper, we present two practical timing attacks on NoC that improve Prime+Probe ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
659
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)15

Reflects downloads up to 07 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bukhari SJanjua MQadir J(2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
https://doi.org/10.1109/OJCS.2024.3398794
Seonghun SDebopriya Roy DBerk G(2023)DefWeb: Defending User Privacy against Cache-based Website Fingerprinting Attacks with Intelligent Noise InjectionProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627191(379-393)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627191
Yu JLi SZhu JCao YMeng WJensen CCremers CKirda E(2023)CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract InterpretationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616584(2441-2455)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616584
Kang MXu YLi SGjomemo RHou JVenkatakrishnan VCao Y(2023)Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179352(1059-1076)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179352
Mai WXiao Y(2023)A novel GPU based Geo-Location Inference Attack on WebGL frameworkHigh-Confidence Computing10.1016/j.hcc.2023.1001353:4(100135)Online publication date: Dec-2023
https://doi.org/10.1016/j.hcc.2023.100135
Wang BZhou TLi SCao YGong NSuga YSakurai KDing XSako K(2022)GraphTrackProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517398(82-96)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517398
Camurati GFrancillon A(2022)Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833767(1193-1210)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833767
Garn BZauner SSimos DLeithner MKuhn RKacker R(2022)A Two-Step TLS-Based Browser fingerprinting approach using combinatorial sequencesComputers and Security10.1016/j.cose.2021.102575114:COnline publication date: 1-Mar-2022
https://dl.acm.org/doi/10.1016/j.cose.2021.102575
Rokicki TMaurice CLaperdrix P(2021)SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00039(472-486)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00039
Innocenti TMirheidari SKharraz ACrispo BKirda E(2021)You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset ProceduresDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-80825-9_1(1-20)Online publication date: 14-Jul-2021
https://dl.acm.org/doi/10.1007/978-3-030-80825-9_1
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents