iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices
Files
(Published version)
Date
2023
Authors
Kim, J.
van Schaik, S.
Genkin, D.
Yarom, Y.
Editors
Advisors
Journal Title
Journal ISSN
Volume Title
Type:
Conference paper
Citation
Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS'23), 2023, pp.2038-2052
Statement of Responsibility
Jason Kim, Stephan van Schaik, Daniel Genkin, Yuval Yarom
Conference Name
ACM SIGSAC Conference on Computer and Communications Security (CCS) (26 Nov 2023 - 30 Nov 2023 : Copenhagen, Denmark)
Abstract
Over the past few years, the high-end CPU market has been undergoing a transformational change. Moving away from using x86 as the sole architecture for high performance devices, we have witnessed the introduction of computing devices with heavyweight Arm CPUs. Among these, perhaps the most influential was the introduction of Apple’s M-series architecture, aimed at completely replacing Intel CPUs in the Apple ecosystem. However, while significant effort has been invested analyzing x86 CPUs, the Apple ecosystem remains largely unexplored. In this paper, we set out to investigate the resilience of the Apple ecosystem to speculative side-channel attacks. We first establish the basic toolkit needed for mounting side-channel attacks, such as the structure of caches and CPU speculation depth. We then tackle Apple’s degradation of the timer resolution in both native and browser-based code. Remarkably, we show that distinguishing cache misses from cache hits can be done without time measurements, replacing timing based primitives with timerless and architecture-agnostic counterparts based on race conditions. Finally, we use our distinguishing primitive to construct eviction sets and mount Spectre attacks, all while avoiding the use of timers. We then evaluate Safari’s side-channel resilience. We bypass the compressed 35-bit addressing and the value poisoning countermeasures, creating a primitive that can speculatively read and leak any 64-bit address within Safari’s rendering process. Combining this with a new method for consolidating websites from different domains into the same renderer process, we demonstrate end-to-end attacks leaking sensitive information, such as passwords, inbox content, and locations from popular services such as Google.
School/Discipline
Dissertation Note
Provenance
Description
Access Status
Rights
© 2023 Copyright held by the owner/author(s). This work is licensed under a Creative Commons Attribution International 4.0 License.