lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EDA0CF2.9000908@gmail.com>
Date: Sat, 03 Dec 2011 12:50:10 +0100
From: Michele Orru <antisnatchor@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq <bugtraq@...urityfocus.com>
Subject: Re: fast and somewhat reliable cache timing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Great PoC Michal,

I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX
10.6.8 and is reliable.

I'm certainly adding it to the BeEF project.

Cheers
antisnatchor

Michal Zalewski wrote:
> Evening,
> 
> This party trick is not particularly exciting, but hopefully
> highlights a vaguely interesting point:
> 
> http://lcamtuf.coredump.cx/cachetime/
> 
> In essence, in the past few years, browser vendors have severely
> crippled CSS :visited selectors in order to prevent CSS-based history
> snooping that made the headlines not long ago (see, for example,
> http://wtikay.com).  Although it's fairly obvious that other privacy
> side channels, such as cache timing, theoretically disclose comparable
> data, the attacks demonstrated so far offered, at best, vaguely
> probabilistic results (say,
> http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that,
> cache probing was considered destructive, which significantly limited
> its usability.
> 
> Consequently, an argument was made that CSS :visited offered unique
> performance and reliability benefits and needed to be addressed
> separately, while no serious work takes place on the remaining
> vectors.
> 
> My PoC exploits cache timing in Firefox in what appears to be a fairly
> fast and reliable way. It is a crude hack, so it will probably fail
> for some of you - but it's probably still interesting. The key point
> is that to probe for cached content without immediately polluting the
> cache, we abort navigation before the HTTP request is made. We also
> work around setTimeout / setInterval clamps by leveraging event
> delivery.
> 
> PS. If this is even remotely interesting, you may also enjoy
> http://lcamtuf.coredump.cx/tangled/
> 
> Cheers,
> /mz
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW
C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR
7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX
50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm
11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk
Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE=
=nUp+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ