The Spy in the Sandbox -- Practical Cache Attacks in Javascript

TL;DR

This paper demonstrates a practical micro-architectural cache side-channel attack that operates entirely within a web browser, enabling remote data exfiltration without software installation, posing significant security risks.

Contribution

It introduces the first browser-based cache attack that exploits micro-architectural features, expanding the threat landscape of web security.

Findings

Attack successfully recovers data from other processes and virtual machines.

High bandwidth covert channel established for data exfiltration.

Constructed a system-wide activity logger using the attack.

Abstract

We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine -- to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today's web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al., allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on other benign uses of the web browser and of the computer.