Ranasinghe, DamithYarom, YuvalO'Connell, Sioli Tiafau2025-07-282025-07-282025https://hdl.handle.net/2440/146360Web browsers have become a critical component of the modern computing ecosystem. They execute code from websites to enable rich interactions; however, this capability can be exploited by malicious websites to launch attacks directly on user devices. The risk is further amplified by microarchitectural side-channel attacks, which leverage hardware characteristics to leak sensitive data. Although comprehensive theoretical countermeasures exist, they are often impractical for use across entire browsers. As a result, browser vendors have resorted to implementing ad-hoc countermeasures to address these threats. This issue raises the central question of this thesis: Are these ad-hoc countermeasures effective in protecting users against microarchitectural side-channel attacks? To answer this question, the thesis investigates and implements microarchitectural variants of four attack types: website fingerprinting, pixel stealing, memory disclosure, and reduced-round encryption attacks. The thesis begins by investigating the underlying causes of leakage in three recent microarchitectural website-fingerprinting attacks. The findings reveal that multiple independent sources contribute to the observed leakage, each leaking sufficient information to enable website fingerprinting. These results suggest that effective protection requires comprehensive and multi-faceted countermeasures. The thesis then introduces two attacks: Pixel Thief and Spook.js, both of which are practical, end-to-end microarchitectural attacks implemented in JavaScript and capable of targeting modern browsers. Pixel Thief is a cache-based pixel-stealing attack that leverages data-dependent memory access patterns in Scalable Vector Graphics filters to recover portions of rendered webpages. Spook.js is a memory disclosure attack that exploits transient type confusion to access arbitrary process memory. Together, these attacks demonstrate that previous mitigation efforts against microarchitectural threats are insufficient. Finally, the thesis presents a proof-of-concept (PoC) attack against controlled leakage in security type systems through a reduced-round encryption attack on the Advanced Encryption Standard (AES). Security type systems enable developers to annotate secret values, allowing the compiler to automatically enforce protections against leakage. These systems often assume sequential execution, however modern processors exhibit out-of-order execution. The PoC attack exploits this mismatch in execution semantics to leak secret values by triggering controlled leakage earlier than the developer intended. While this thesis shows that ad-hoc countermeasures have been insufficient, it does not claim they are ineffective. The attacks presented here have had reduced impact, required more sophisticated implementation techniques, and required stronger assumptions of adversarial capabilities demonstrating the efficacy of these countermeasures. Furthermore, this work has also informed browser vendors and website operators in the development of new countermeasures that further reduce the threat posed by microarchitectural attacks.enmicroarchitectural side-channel attackswebsite fingerprintingpixel stealinghistory sniffingprime+probejavascriptweb browserscross-origin isolationsite isolationThesis