Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome
Date
2024
Authors
O'Connell, S.
Sour, L.A.
Magen, R.
Genkin, D.
Oren, Y.
Shacham, H.
Yarom, Y.
Editors
Advisors
Journal Title
Journal ISSN
Volume Title
Type:
Conference paper
Citation
Proceedings of the 33rd USENIX Security Symposium, 2024, pp.3331-3348
Statement of Responsibility
Sioli O'Connell, Lishay Aben Sour, Ron Magen, Daniel Genkin, Yossi Oren, Hovav Shacham, and Yuval Yarom
Conference Name
33rd USENIX Security Symposium (14 Aug 2024 - 16 Aug 2024 : Philadelphia, PA, USA)
Abstract
Web privacy is challenged by pixel-stealing attacks, which allow attackers to extract content from embedded iframes and to detect visited links. To protect against multiple pixelstealing attacks that exploited timing variations in SVG filters, browser vendors repeatedly adapted their implementations to eliminate timing variations. In this work we demonstrate that past efforts are still not sufficient. We show how web-based attackers can mount cache-based side-channel attacks to monitor data-dependent memory accesses in filter rendering functions. We identify conditions under which browsers elect the non-default CPU implementation of SVG filters, and develop techniques for achieving access to the high-resolution timers required for cache attacks. We then develop efficient techniques to use the pixel-stealing attack for text recovery from embedded pages and to achieve high-speed history sniffing. To the best of our knowledge, our attack is the first to leak multiple bits per screen refresh, achieving an overall rate of 267 bits per second.
School/Discipline
Dissertation Note
Provenance
Description
Access Status
Rights
Open access to the Proceedings of the 33rd USENIX Security Symposium is sponsored by USENIX.