PerfWeb: How to Violate Web Privacy with Hardware Performance Events

  • Berk Gulmezoglu
  • Andreas Zankl
  • Thomas Eisenbarth
  • Berk Sunar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

Abstract

The browser history reveals highly sensitive information about users, such as financial status, health conditions, or political views. Private browsing modes and anonymity networks are consequently important tools to preserve the privacy not only of regular users but in particular of whistleblowers and dissidents. Yet, in this work we show how a malicious application can infer opened websites from Google Chrome in Incognito mode and from Tor Browser by exploiting hardware performance events (HPEs). In particular, we analyze the browsers’ microarchitectural footprint with the help of advanced Machine Learning techniques: k-th Nearest Neighbors, Decision Trees, Support Vector Machines, and in contrast to previous literature also Convolutional Neural Networks. We profile 40 different websites, 30 of the top Alexa sites and 10 whistleblowing portals, on two machines featuring an Intel and an ARM processor. By monitoring retired instructions, cache accesses, and bus cycles for at most 5 s we manage to classify the selected websites with a success rate of up to 86.3%. The results show that hardware performance events can clearly undermine the privacy of web users. We therefore propose mitigation strategies that impede our attacks and still allow legitimate use of HPEs.

Keywords

Website fingerprinting Hardware performance events Machine learning Incognito mode Chrome Tor Onion routing Privacy 

Notes

Acknowledgments

We would like to thank the anonymous reviewers for their valuable comments and suggestions. This work has been supported by the National Science Foundation, under grants CNS-1618837 and CNS-1314770.

References

  1. 1.
    Alexa Internet Inc.: The top 500 sites on the web (2017). http://www.alexa.com/topsites. Accessed 10 May 2017
  2. 2.
    Anonymous Contributors: Leak site directory. http://www.leakdirectory.org/index.php/Leak_Site_Directory
  3. 3.
    Atici, A., Yilmaz, C., Savas, E.: An approach for isolating the sources of information leakage exploited in cache-based side-channel attacks. In: 2013 IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), pp. 74–83, June 2013Google Scholar
  4. 4.
    Bahador, M.B., Abadi, M., Tajoddin, A.: HPCMalHunter: behavioral malware detection using hardware performance counters and singular value decomposition. In: 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 703–708, October 2014Google Scholar
  5. 5.
    Bhattacharya, S., Mukhopadhyay, D.: Who watches the watchmen?: utilizing performance monitors for compromising keys of RSA on intel platforms. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 248–266. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48324-4_13CrossRefGoogle Scholar
  6. 6.
    Booth, J.: Not so incognito: exploiting resource-based side channels in JavaScript engines. Master’s thesis, School of Engineering and Applied Sciences, Harvard University (2015). http://nrs.harvard.edu/urn-3:HUL.InstRepos:17417578
  7. 7.
    Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 27:1–27:27 (2011). http://www.csie.ntu.edu.tw/~cjlin/libsvm
  8. 8.
    Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Appl. Soft Comput. 49, 1162–1174 (2016)CrossRefGoogle Scholar
  9. 9.
    Clark, S.S., Mustafa, H., Ransford, B., Sorber, J., Fu, K., Xu, W.: Current events: identifying webpages by tapping the electrical outlet. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 700–717. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40203-6_39CrossRefGoogle Scholar
  10. 10.
    Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. In: Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA 2013, pp. 559–570. ACM, New York (2013)Google Scholar
  11. 11.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, pp. 25–32. ACM, New York (2000)Google Scholar
  12. 12.
    Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed javascript. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 108–122. Springer, Cham (2015). doi: 10.1007/978-3-319-24174-6_6CrossRefGoogle Scholar
  13. 13.
    Hayes, J., Danezis, G.: k-fingerprinting: a robust scalable website fingerprinting technique. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 1187–1203. USENIX Association, Austin, (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/hayes
  14. 14.
    Hornby, T.: Side-channel attacks on everyday applications: distinguishing inputs with FLUSH+RELOAD. Black Hat USA (2016). https://www.blackhat.com/docs/us-16/materials/us-16-Hornby-Side-Channel-Attacks-On-Everyday-Applications-wp.pdf
  15. 15.
    Jana, S., Shmatikov, V.: Memento: Learning secrets from process footprints. In: 2012 IEEE Symposium on Security and Privacy, pp. 143–157, May 2012Google Scholar
  16. 16.
    Kazdagli, M., Reddi, V.J., Tiwari, M.: Quantifying and improving the efficiency of hardware-based mobile malware detectors. In: 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp. 1–13, October 2016Google Scholar
  17. 17.
    Kim, H., Lee, S., Kim, J.: Inferring browser activity and status through remote monitoring of storage usage. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 410–421. ACM, New York (2016)Google Scholar
  18. 18.
    Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In: 2014 IEEE Symposium on Security and Privacy, pp. 19–33, May 2014Google Scholar
  19. 19.
    Liang, B., You, W., Liu, L., Shi, W., Heiderich, M.: Scriptless timing attacks on web browser privacy. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 112–123, June 2014Google Scholar
  20. 20.
    Linux Kernel Developers: perf: Linux profiling with performance counters (2015). https://perf.wiki.kernel.org/index.php/Main_Page
  21. 21.
    Linux Programmer’s Manual: perf_event_open - set up performance monitoring (2016). http://man7.org/linux/man-pages/man2/perf_event_open.2.html
  22. 22.
    Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 549–564. USENIX Association, Austin (2016). ISBN 978-1-931971-32-4. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lipp
  23. 23.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 48–65. Springer, Cham (2015). doi: 10.1007/978-3-319-26362-5_3CrossRefGoogle Scholar
  24. 24.
    Mucci, P.J., Browne, S., Deane, C., Ho, G.: PAPI: a portable interface to hardware performance counters. In: Proceedings of the Department of Defense HPCMP Users Group Conference, pp. 7–10 (1999)Google Scholar
  25. 25.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 1406–1418. ACM, New York (2015)Google Scholar
  26. 26.
    Singh, B., Evtyushkin, D., Elwell, J., Riley, R., Cervesato, I.: On the detection of kernel-level rootkits using hardware performance counters. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 483–493. ACM (2017)Google Scholar
  27. 27.
    Sun, Q., Simon, D.R., Wang, Y.M., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 19–30 (2002)Google Scholar
  28. 28.
    Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). doi: 10.1007/978-3-319-11379-1_6Google Scholar
  29. 29.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)CrossRefGoogle Scholar
  30. 30.
    Uhsadel, L., Georges, A., Verbauwhede, I.: Exploiting hardware performance counters. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2008, pp. 59–67, August 2008Google Scholar
  31. 31.
    Vila, P., Köpf, B.: Loophole: timing attacks on shared event loops in chrome. In: 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/vila
  32. 32.
    Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 189–198. ACM, New York (2012)Google Scholar
  33. 33.
    Yang, Q., Gasti, P., Zhou, G., Farajidavar, A., Balagani, K.S.: On inferring browsing activity on smartphones via USB power analysis side-channel. IEEE Trans. Inf. Forensics Secur. 12(5), 1056–1066 (2017)CrossRefGoogle Scholar
  34. 34.
    Zankl, A., Miller, K., Heyszl, J., Sigl, G.: Towards efficient evaluation of a time-driven cache attack on modern processors. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 3–19. Springer, Cham (2016). doi: 10.1007/978-3-319-45741-3_1CrossRefGoogle Scholar
  35. 35.
    Zhang, N., Sun, K., Shands, D., Lou, W., Hou, Y.T.: TruSpy: cache side-channel information leakage from the secure world on arm devices. Cryptology ePrint Archive, Report 2016/980 (2016). http://eprint.iacr.org/2016/980

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Berk Gulmezoglu
    • 1
  • Andreas Zankl
    • 2
  • Thomas Eisenbarth
    • 1
  • Berk Sunar
    • 1
  1. 1.Worcester Polytechnic InstituteWorcesterUSA
  2. 2.Fraunhofer Research Institution AISECMunichGermany

Personalised recommendations