| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 03 Dec 2011 12:50:10 +0100 From: Michele Orru <antisnatchor@...il.com> To: Michal Zalewski <lcamtuf@...edump.cx> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com> Subject: Re: fast and somewhat reliable cache timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Great PoC Michal, I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX 10.6.8 and is reliable. I'm certainly adding it to the BeEF project. Cheers antisnatchor Michal Zalewski wrote: > Evening, > > This party trick is not particularly exciting, but hopefully > highlights a vaguely interesting point: > > http://lcamtuf.coredump.cx/cachetime/ > > In essence, in the past few years, browser vendors have severely > crippled CSS :visited selectors in order to prevent CSS-based history > snooping that made the headlines not long ago (see, for example, > http://wtikay.com). Although it's fairly obvious that other privacy > side channels, such as cache timing, theoretically disclose comparable > data, the attacks demonstrated so far offered, at best, vaguely > probabilistic results (say, > http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that, > cache probing was considered destructive, which significantly limited > its usability. > > Consequently, an argument was made that CSS :visited offered unique > performance and reliability benefits and needed to be addressed > separately, while no serious work takes place on the remaining > vectors. > > My PoC exploits cache timing in Firefox in what appears to be a fairly > fast and reliable way. It is a crude hack, so it will probably fail > for some of you - but it's probably still interesting. The key point > is that to probe for cached content without immediately polluting the > cache, we abort navigation before the HTTP request is made. We also > work around setTimeout / setInterval clamps by leveraging event > delivery. > > PS. If this is even remotely interesting, you may also enjoy > http://lcamtuf.coredump.cx/tangled/ > > Cheers, > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE= =nUp+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists