Add proposed Cross-site covert channel attack description #219
Conversation
index.html
Outdated
| that are not supposed to be allowed to communicate. In modern multi-process web engines in the generic | ||
| case each window or tab resides in its own process (documents that have the [=same origin=] or sites that | ||
| have the [=same site=] typically share the same process). Using this API it may be possible to create a | ||
| cross-site covert channel C where a site A on one tab first writes to the channel C after having |
There was a problem hiding this comment.
I am not sure "write" is the right word, it is more like broadcasting
| case each window or tab resides in its own process (documents that have the [=same origin=] or sites that | ||
| have the [=same site=] typically share the same process). Using this API it may be possible to create a | ||
| cross-site covert channel C where a site A on one tab first writes to the channel C after having | ||
| manipulated the state of the CPU. Next a site B (that is not same site with site A) on another tab reads |
There was a problem hiding this comment.
on another or even browser
There was a problem hiding this comment.
reads the broadcasted data?
| </p> | ||
| <div class="note"> | ||
| The longer the scripts run the more information can be transmitted using the proposed cross-site covert channel. | ||
| For example, if a user is on a video conferencing site and another long-running site that allows for more |
There was a problem hiding this comment.
On the other hand, something like an active video conferencing session will push the pressure on the CPU and make it much harder to manipulate in a predictive manner.
There was a problem hiding this comment.
The same, addressed in 9e8cd0f
index.html
Outdated
| <p> | ||
| In a calibration process an attacker tries to manipulate the CPU so that this | ||
| API would report a transition into a certain pressure state in response to the | ||
| pressure exerted by the fabricated workload. By slightly changing at runtime |
There was a problem hiding this comment.
Maybe say that they will find to find the workload pressure that with the highest probability will result in a certain state?
index.html
Outdated
| pressure exerted by the fabricated workload. By slightly changing at runtime | ||
| the implementation-defined low-level hardware metrics that contribute to these | ||
| pressure state transitions this mitigation will slow down or prevent this | ||
| calibration process from succeeding. |
There was a problem hiding this comment.
calibration will most likely succeed, but we want to invalidate the calibration at runtime, as you would need to be focused in order to reuse the Compute Pressure API to re-calibrate
There was a problem hiding this comment.
Suggestion:
Shuffling the sentence the other way around, would make it easier to understand.
"A mitigation solution can slow down or prevent this calibration process from succeeding (mentioning earlier the cause just described in the previous sentence), by slightly changing [...] these pressure state transitions."
| pressure state transitions this mitigation will slow down or prevent this | ||
| calibration process from succeeding. | ||
| </p> | ||
| </section> |
There was a problem hiding this comment.
I think we might also want to mention this mitigation: Throttle compute execution of background web app
Browsers already do this in order to save power (sometimes after some time delay like say 5 minutes). Doing this will make it much harder to create workloads that results in certain states, and it might be impossible to reach upper states like "critical" - also the calibrated workloads would also be invalid
There was a problem hiding this comment.
Fixed by f77bc3d
I think a note in the context of this mitigation makes sense since this is not specific to this API but a feature of browsers.
index.html
Outdated
| By slightly changing at runtime the implementation-defined low-level hardware | ||
| metrics that contribute to these pressure state transitions this mitigation will | ||
| slow down or prevent this calibration process from succeeding. Even if the | ||
| initial calibration would succeed its results will be invalidated at runtime |
There was a problem hiding this comment.
missing comma: "succeed, its"
Update Acknowledgments with explicit thanks to Peter Snyder for this proposed attack and guidance on its mitigations.
Mitigates the proposed Cross-site covert channel attack
Add a note that mentions throttling
And reference its definition
Adjust wording for improved clarity
|
Rebased the PR, ready for merging to establish a baseline. Further improvements to be proposed in subsequent PRs. |
Update Acknowledgments with explicit thanks to Peter Snyder for this proposed attack and guidance on its mitigations.
Preview | Diff