Even the Tor browser can be monitored with this malicious code
According to the experts in digital forensics, this data could be used to carry out specially targeted advertising campaigns to the user, in addition to collecting relevant information of the user to delimit a profile, to store the information and use it for future references.
“We have demonstrated an attack method that could compromise the ‘user’s secrets’, the attack is able to discover which websites a user visits; this may reveal highly confidential information, such as user’s sexual orientation, religious beliefs, political preferences, health conditions, etc.,” mention the digital forensics experts Yossi Oren (from Ben-Gurion University in Israel) and Yuval Yarom (University of Adelaide, Australia) in a recently published security notice.
This attack vector may not be as serious as a remote attack technique, such as arbitrary code execution, but researchers believe that there may be ways in which this technique can be adapted to compromise computer secrets as encryption keys or vulnerable software. Tor browser users, for example, could face serious consequences if they are victims of this attack thinking their searches are kept secret.
A side-channel (or transient-execution) attack involves monitoring a part of a computer system to collect indicators that can be used to guess highly confidential information. Spectre, Meltdown and Foreshadow vulnerabilities (revealed this year) could be exploited through this type of techniques.
The specialists commented that this attack works at the most fundamental levels. “It works in places where Spectre cannot function (for example, through process limits), and patches crafted against Spectre cannot stop it,” they said.
One of the methods used to mitigate these attacks is by limiting access to high-precision timers, by which data from side channels can be collected. For example, when Spectre and Meltdown flaws were discovered, Mozilla reported that it would disable or reduce the accuracy of time sources in Firefox, the company’s browser.
But this new browser fingerprinting technique does not need a high-precision timer because it focuses on the processor’s cache occupancy, as reported by specialists in digital forensics.
“The cache occupancy measures the occupied percentage of the total cache for a specific period of time,” the investigators explained. “The browser uses a lot of memory, because it receives large amounts of data while displaying several outputs on the screen. This means that you use a significant portion of the cache when a page is loaded”.
In addition, this approach does not depend on the cache design, which makes the random cache distribution (a risk mitigation technique) useless against this attack. The attack is also not affected by the defenses against network-based fingerprinting, such as when a browser gets data from its response cache instead of the network or when the network traffic configuration is used.
By testing the attack on conventional browsers, researchers were able to accurately classify between 70% and 90% of visited pages, while in Tor, the attack achieved an accuracy of only 47%, but when other data were considered, the accuracy increased to 72%, the researchers said.