Practical Keystroke Timing Attacks in Sandboxed JavaScript

  • Moritz Lipp
  • Daniel Gruss
  • Michael Schwarz
  • David Bidner
  • Clémentine Maurice
  • Stefan Mangard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

Abstract

Keystrokes trigger interrupts which can be detected through software side channels to reconstruct keystroke timings. Keystroke timing attacks use these side channels to infer typed words, passphrases, or create user fingerprints. While keystroke timing attacks are considered harmful, they typically require native code execution to exploit the side channels and, thus, may not be practical in many scenarios.

In this paper, we present the first generic keystroke timing attack in sandboxed JavaScript, targeting arbitrary other tabs, processes and programs. This violates same-origin policy, HTTPS security model, and process isolation. Our attack is based on the interrupt-timing side channel which has previously only been exploited using native code. In contrast to previous attacks, we do not require the victim to run a malicious binary or interact with the malicious website. Instead, our attack runs in a background tab, possibly in a minimized browser window, displaying a malicious online advertisement. We show that we can observe the exact inter-keystroke timings for a user’s PIN or password, infer URLs entered by the user, and distinguish different users time-sharing a computer. Our attack works on personal computers, laptops and smartphones, with different operating systems and browsers. As a solution against all known JavaScript timing attacks, we propose a fine-grained permission model.

Keywords

JavaScript Side channel Interrupt Keystroke Fingerprint 

Notes

Acknowledgments

We would like to thank our anonymous reviewers for their valuable feedback. This project has been supported by the COMET K-Project DeSSnet (grant No. 862235) conducted by the Austrian Research Promotion Agency (FFG) and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 681402).

References

  1. 1.
    Christensen, A.: Reduce resolution of performance.now (2015). https://bugs.webkit.org/show_bug.cgi?id=146531
  2. 2.
    Alexa Internet Inc.: The top. 500 sites on the web, December 2016. http://www.alexa.com/topsites
  3. 3.
    Ali, K., Liu, A.X., Wang, W., Shahzad, M.: Keystroke recognition using wifi signals. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, MobiCom 2015 (2015)Google Scholar
  4. 4.
    Altman, N.S.: An introduction to kernel and nearest-neighbor nonparametric regression. Am. Stat. 46(3), 175–185 (1992)MathSciNetGoogle Scholar
  5. 5.
    Berndt, D.J., Clifford, J.: Using dynamic time warping to find patterns in time series. In: Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining (1994)Google Scholar
  6. 6.
    Booth, J.M.: Not so incognito: exploiting resource-based side channels in JavaScript engines. Bachelor thesis, Harvard School of Engineering and Applied Sciences (2015)Google Scholar
  7. 7.
    Zbarsky, B.: Reduce resolution of performance.now. (2015). https://hg.mozilla.org/integration/mozilla-inbound/rev/48ae8b5e62ab
  8. 8.
    Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: WWW 2007 (2007)Google Scholar
  9. 9.
    Chen, W., Chang, W.: Applying hidden Markov models to keystroke pattern analysis for password verification. In: Proceedings of the 2004 IEEE International Conference on Information Reuse and Integration (2004)Google Scholar
  10. 10.
    Chromium: window.performance.now does not support sub-millisecond precision on Windows (2015). https://bugs.chromium.org/p/chromium/issues/detail?id=158234#c110
  11. 11.
    Diao, W., Liu, X., Li, Z., Zhang, K.: No pardon for the interruption: new inference attacks on android through interrupt timing analysis. In: S&P 2016 (2016)Google Scholar
  12. 12.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: CCS 2000 (2000)Google Scholar
  13. 13.
    Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS 2017 (2017)Google Scholar
  14. 14.
    Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed JavaScript. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 108–122. Springer, Cham (2015). doi: 10.1007/978-3-319-24174-6_6CrossRefGoogle Scholar
  15. 15.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)Google Scholar
  16. 16.
    Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: CCS 2012 (2012)Google Scholar
  17. 17.
    Hogye, M.A., Hughes, C.T., Sarfaty, J.M., Wolf, J.D.: Analysis of the feasibility of keystroke timing attacks over SSH connections. School of Engineering and Applied Science University of Virginia, Technical report (2001)Google Scholar
  18. 18.
    Hu, W.-M.: Reducing timing channels with fuzzy time. J. Comput. Secur. 1(3–4), 233–254 (1992). http://dl.acm.org/citation.cfm?id=2699806.2699810CrossRefGoogle Scholar
  19. 19.
    Idrus, S., Cherrier, E., Rosenberger, C., Bours, P.: Soft biometrics for keystroke dynamics: profiling individuals while typing passwords. Comput. Secur. 45, 147–155 (2014)CrossRefGoogle Scholar
  20. 20.
    Jana, S., Shmatikov, V.: Memento: learning secrets from process footprints. In: S&P 2012 (2012)Google Scholar
  21. 21.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: CCS 2010 (2010)Google Scholar
  22. 22.
    Jia, Y., Dong, X., Liang, Z., Saxena, P.: I know where you’ve been: geo-inference attacks via the browser cache. IEEE Internet Comput. 19(1), 44–53 (2015)CrossRefGoogle Scholar
  23. 23.
    Kobojek, P., Saeed, K.: Application of recurrent neural networks for user verification based on keystroke dynamics. J. Telecommun. Inf. Technol. 3, 80 (2016). http://www.itl.waw.pl/publikacje/44-jtit/953-journal-of-telecommunications-and-information-technology-jtit-12012
  24. 24.
    Kohlbrenner, D., Shacham, H.: Trusted browsers for uncertain times. In: USENIX Security Symposium (2016)Google Scholar
  25. 25.
    Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: USENIX Security Symposium (2016)Google Scholar
  26. 26.
    Maurice, C., Weber, M., Schwarz, M., Giner, L., Gruss, D., Boano, C.A., Mangard, S., Römer, K.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS 2017 (2017)Google Scholar
  27. 27.
    Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions and pins based on mobile sensor data via JavaScript. J. Inf. Secur. Appl. 26, 23–38 (2016)Google Scholar
  28. 28.
    Perry, M.: Bug 1517: reduce precision of time for JavaScript (2015). https://gitweb.torproject.org/user/mikeperry/tor-browser.git/commit/?h=bug1517
  29. 29.
    Myers, M.: Anti-keylogging with random noise. In: PoC\(|\)GTFO, vol. 0x14 (2017)Google Scholar
  30. 30.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS 2015 (2015)Google Scholar
  31. 31.
    Ortolani, S.: Noisykey: tolerating keyloggers via keystrokes hiding. In: USENIX Workshop on Hot Topics in Security - HotSec (2012)Google Scholar
  32. 32.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security Symposium (2016)Google Scholar
  33. 33.
    Pinet, S., Ziegler, J.C., Alario, F.X.: Typing is writing: linguistic properties modulate typing execution. Psychon. Bull. Rev. 23(6), 1898–1906 (2016)CrossRefGoogle Scholar
  34. 34.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS 2009 (2009)Google Scholar
  35. 35.
    Rumelhart, D.E., McClelland, J.L., PDP Research Group, C. (eds.): Parallel Distributed Processing: Explorations in the Microstructure of Cognition, vol. 1: Foundations. MIT Press, Cambridge (1986)Google Scholar
  36. 36.
    Schwarz, M., Lipp, M., Gruss, D., Weiser, S., Maurice, C., Spreitzer, R., Mangard, S.: KeyDrown: eliminating keystroke timing side-channel attacks (2017). arXiv preprint arXiv:1706.06381
  37. 37.
    Schwarz, M., Maurice, C., Gruss, D., Mangard, S.: Fantastic timers and where to find them: high-resolution microarchitectural attacks in JavaScript. In: FC 2017 (2017)Google Scholar
  38. 38.
    Simon, L., Xu, W., Anderson, R.: Don’t interrupt me while I type: inferring text entered through gesture typing on android keyboards. In: Proceedings on Privacy Enhancing Technologies (2016)Google Scholar
  39. 39.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium (2001)Google Scholar
  40. 40.
    Stone, P.: Pixel perfect timing attacks with HTML5. Context Information Security (White Paper) (2013)Google Scholar
  41. 41.
    Van Goethem, T., Joosen, W., Nikiforakis, N.: The clock is still ticking: timing attacks in the modern web. In: CCS 2015 (2015)Google Scholar
  42. 42.
    Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in Xen. In: CCSW 2011 (2011)Google Scholar
  43. 43.
    Vila, P., Köpf, B.: Loophole: timing attacks on shared event loops in chrome. In: USENIX Security Symposium (2017)Google Scholar
  44. 44.
    W3C: Web Workers - W3C Working Draft, 24 September 2015. https://www.w3.org/TR/workers/
  45. 45.
    W3C: High Resolution Time Level 2 (2016). https://www.w3.org/TR/hr-time/
  46. 46.
    Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: leaking browsing history via user interaction and side channel attacks. In: S&P 2011 (2011)Google Scholar
  47. 47.
    Wray, J.C.: An analysis of covert timing channels. J. Comput. Secur. 1(3–4), 219–232 (1992)CrossRefGoogle Scholar
  48. 48.
    Xi, X., Keogh, E., Shelton, C., Wei, L., Ann Ratanamahatana, C.: Fast time series classification using numerosity reduction. In: Proceedings of the 23rd International Conference on Machine Learning (2006)Google Scholar
  49. 49.
    Zhang, K., Wang, X.: Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. In: USENIX Security Symposium (2009)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Moritz Lipp
    • 1
  • Daniel Gruss
    • 1
  • Michael Schwarz
    • 1
  • David Bidner
    • 1
  • Clémentine Maurice
    • 1
  • Stefan Mangard
    • 1
  1. 1.Graz University of TechnologyGrazAustria

Personalised recommendations