Re: Documenting Timing Attacks in Rendering Engines

On Mon, Dec 12, 2011 at 11:48 AM, Chris Marrin <cmarrin@apple.com> wrote:
> On Dec 12, 2011, at 10:23 AM, Adam Barth wrote:
>> I'm happy to start talking about solutions once folks stop pretending
>> this vulnerability doesn't exist.
>
> One solution would be to hide the amount of time it takes to render from the content author. This is theoretically possible if you render in a different thread than the one in which JavaScript is running (the web thread). For instance, the web thread could construct a list of commands used to render the page and then pass that list to another thread or process for the actual rendering. While rendering is happening in that other thread, the web thread can continue, generating a new display list for the next frame.
>
> You'd still throttle the web thread to the display refresh rate to avoid generating more display lists than could possibly be useful. But the actual rendering could take an arbitrary amount of time without affecting the rate at which display lists are generated. Since shader execution time is purely a rendering artifact, the author would never know how long it has taken.
>
> The downside of this approach (other than additional complexity) is that, if rendering is slower than the display refresh rate, more display lists would be generated than rendered. These would simply be discarded, but the browser would be doing more work than it does today when under heavy rendering load.
>
> Many graphics libraries used in browsers today use, or can be made to use, display lists. So while this would not be a simple solution it would be a practical one. It would add complexity, but I think it would solve the problem of timing attacks in any page rendered content.

While tempting, this approach doesn't work.  For example, the web page
can create one WebWorker for each CPU core and measure how fast these
workers run.  The background thread that does the rendering will need
to be scheduled onto some CPU core, and it's performance
characteristics will be different depending on whether it is dropping
frames.

In general, I don't believe any approach that involves hiding the
sensitive information after it has entered the timing channel can
work.  We have 30 years of implementation experience in a wide variety
of settings that has taught us this lesson the hard way.

Adam

Received on Monday, 12 December 2011 19:58:11 UTC