[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EDA0CF2.9000908@gmail.com>
Date: Sat, 03 Dec 2011 12:50:10 +0100
From: Michele Orru <antisnatchor@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq <bugtraq@...urityfocus.com>
Subject: Re: fast and somewhat reliable cache timing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Great PoC Michal,
I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX
10.6.8 and is reliable.
I'm certainly adding it to the BeEF project.
Cheers
antisnatchor
Michal Zalewski wrote:
> Evening,
>
> This party trick is not particularly exciting, but hopefully
> highlights a vaguely interesting point:
>
> http://lcamtuf.coredump.cx/cachetime/
>
> In essence, in the past few years, browser vendors have severely
> crippled CSS :visited selectors in order to prevent CSS-based history
> snooping that made the headlines not long ago (see, for example,
> http://wtikay.com). Although it's fairly obvious that other privacy
> side channels, such as cache timing, theoretically disclose comparable
> data, the attacks demonstrated so far offered, at best, vaguely
> probabilistic results (say,
> http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that,
> cache probing was considered destructive, which significantly limited
> its usability.
>
> Consequently, an argument was made that CSS :visited offered unique
> performance and reliability benefits and needed to be addressed
> separately, while no serious work takes place on the remaining
> vectors.
>
> My PoC exploits cache timing in Firefox in what appears to be a fairly
> fast and reliable way. It is a crude hack, so it will probably fail
> for some of you - but it's probably still interesting. The key point
> is that to probe for cached content without immediately polluting the
> cache, we abort navigation before the HTTP request is made. We also
> work around setTimeout / setInterval clamps by leveraging event
> delivery.
>
> PS. If this is even remotely interesting, you may also enjoy
> http://lcamtuf.coredump.cx/tangled/
>
> Cheers,
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW
C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR
7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX
50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm
11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk
Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE=
=nUp+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists