Researchers with the New Jersey Institute of Technology have devised a new targeted deanonymization attack that relies on a cache side-channel and which they say is efficient on multiple architectures, operating systems, and browser versions, and works on major websites.
As part of targeted deanonymization attacks, a threat actor who is in possession of a public identifier belonging to their intended victim – such as an email address or Twitter handle – can determine whether the victim is browsing a website they control. These types of techniques can be highly useful to well-resourced threat actors.
“Consider a state-sponsored adversary who has purchased, at great expense, a zero-day exploit, which it wishes to install on the computer of a journalist with a well-known Twitter handle,” the researchers explained in their paper. “The adversary has also compelled a local website to include code that can install this exploit. If this exploit were to be installed on many devices, however, this would increase the risk of the exploit being detected by white-hat security researchers. Therefore, the state adversary wishes to first verify, using the well-known Twitter handle, that the user currently connecting to the website is the target journalist, and only then to deploy its exploit.”
Prior attack methods used mechanisms known as cross-site leaks (XS-leaks) to bypass same-origin policy (SoP) defenses and carry out deanonymization attacks, relying on the existence of leaky resources on the target website to discover whether an embedded resource had been successfully loaded in the user’s browser.
Those mechanisms assumed that cross-site leaks did exist, that a sharing site allowed for the embedding of its resources into the attacker’s website, or that the user’s browser included support for third-party cookies.
The academic researchers with the New Jersey Institute of Technology claim that these assumptions limit the effectiveness of cross-site leaks-based targeted deanonymization, which can instead be increased by using browser-based side-channel attacks.
“Side-channel attacks are attacks that analyze the physical implementation artifacts of a system in order to gain an insight into its secret internal state. Of particular interest to our setting are microarchitectural cache attacks, which allow a spy process to observe the memory access patterns of a victim process over time, and use these access patterns to discover secrets about the victim,” the research paper reads.
The new attack, which relies on client- and server-side channels working together to determine whether the loading of a leaky resource has been successful or not, can be mounted even in settings in which prior methods were ineffective, such as sites preventing the embedding of or the private sharing of resources, or browsers that prevent third-party cookies.
“This has the advantage of covering the novel scenarios introduced in this work, for which known XS-leaks are not effective. At the same time, we show that our approach is equally as effective in previously known attack scenarios, thus offering a unified framework for targeted deanonymization,” the researchers say.
The academics claim that their attack technique is efficient against popular services such as Facebook, Gmail, or Twitter, and that it can run in browsers such as Safari and Tor, which do not allow cookies in cross-site requests.
The attack has a training phase, in which a machine learning classifier is trained to detect the cache signature of a leaky resource, and an online phase, where the victim visits a web page that loads the leaky resource while cache activity is measured on the victim’s computer.
“Finally, the attacker passes the collected cache measurements through the trained classifier, allowing it to identify the victim. The key advantage of our attack is that it needs no programmatic access to the leaky resource, and does not assume the existence of any XS-leak,” the researchers say.
The only requirement for the attack to be successful and deanonymization possible is that content from the attacker’s website is rendered on the same computer as the resource from the sharing site.
“Our attacks run in practical time (less than 3 seconds in most cases), and can be scaled to target an exponentially large [number] of users,” the academics say.
The researchers devised two versions of the attack, namely a pop-under variant – in which the shared resource is loaded in a pop-up window – and a tab-under variant – where the resource is loaded in a new browser tab. Both rely on indirectly learning information cross-window or cross-tab, via a CPU cache side channel.
The first variant involves the loading of the shared resource in a pop-up window in the background. In Safari, this involves launching a second window immediately after the pop-up window. The second window is immediately closed, returning focus to the attacker’s website that the user has navigated to.
The tab-under variant implies launching a new tab, identical with the first, in which the attack page is loaded. An added parameter ensures that the focus is on the second page, while the shared resource is loaded in the first instance of the page, which is now out of focus.
“As a downside, this method does not grant the attacker programmatic access to the tab-under window, making it impossible to close the window after the attack concludes, or to cause it to navigate to another address. Using the tab-under variant, we executed the leaky resource attack successfully in all the browsers we tested, including Safari, Tor, and Chrome,” the academics say.
The researchers also say they were able to successfully scale the tab-under attack by abusing a YouTube feature related to the processing of playlists that have private videos in them, when they are shared with users who do not have permissions to access the private videos.
The academics considered a total of 28 attack setups and claim that the proposed attack technique has a 90% accuracy, “indicating that cache-based deanonymization attacks are effective across a variety of services, browsers, and microarchitectures,” including mobile devices.
In their research paper, the academics also propose a countermeasure against the cache-based deanonymization attacks, in the form of a browser extension that works with the desktop versions of Chrome, Firefox and Tor. Called Leakuidator+, it is based on Leakuidator, the defense previously proposed against XS-leak-based attacks.
Related: Retbleed: New Speculative Execution Attack Targets Intel, AMD Processors
Related: Academics Devise New Speculative Execution Attack Against Apple M1 Chips
Related: Academics Devise Side-Channel Attack Targeting Multi-GPU Systems