JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits

Proceedings 2019 Network and Distributed System Security Symposium Pub Date : 2019-02-24 DOI:10.14722/ndss.2019.23155

Michael Schwarz, F. Lackner, D. Gruss

{"title":"JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits","authors":"Michael Schwarz, F. Lackner, D. Gruss","doi":"10.14722/ndss.2019.23155","DOIUrl":null,"url":null,"abstract":"Today, more and more web browsers and extensions provide anonymity features to hide user details. Primarily used to evade tracking by websites and advertisements, these features are also used by criminals to prevent identification. Thus, not only tracking companies but also law-enforcement agencies have an interest in finding flaws which break these anonymity features. For instance, for targeted exploitation using zero days, it is essential to have as much information about the target as possible. A failed exploitation attempt, e.g., due to a wrongly guessed operating system, can burn the zero-day, effectively costing the attacker money. Also for side-channel attacks, it is of the utmost importance to know certain aspects of the victim’s hardware configuration, e.g., the instruction-set architecture. Moreover, knowledge about specific environmental properties, such as the operating system, allows crafting more plausible dialogues for phishing attacks. In this paper, we present a fully automated approach to find subtle differences in browser engines caused by the environment. Furthermore, we present two new side-channel attacks on browser engines to detect the instruction-set architecture and the used memory allocator. Using these differences, we can deduce information about the system, both about the software as well as the hardware. As a result, we cannot only ease the creation of fingerprints, but we gain the advantage of having a more precise picture for targeted exploitation. Our approach allows automating the cumbersome manual search for such differences. We collect all data available to the JavaScript engine and build templates from these properties. If a property of such a template stays the same on one system but differs on a different system, we found an environment-dependent property. We found environment-dependent properties in Firefox, Chrome, Edge, and mobile Tor, allowing us to reveal the underlying operating system, CPU architecture, used privacy-enhancing plugins, as well as exact browser version. We stress that our method should be used in the development of browsers and privacy extensions to automatically find flaws in the implementation.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-02-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"45","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23155","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 45

Abstract

Today, more and more web browsers and extensions provide anonymity features to hide user details. Primarily used to evade tracking by websites and advertisements, these features are also used by criminals to prevent identification. Thus, not only tracking companies but also law-enforcement agencies have an interest in finding flaws which break these anonymity features. For instance, for targeted exploitation using zero days, it is essential to have as much information about the target as possible. A failed exploitation attempt, e.g., due to a wrongly guessed operating system, can burn the zero-day, effectively costing the attacker money. Also for side-channel attacks, it is of the utmost importance to know certain aspects of the victim’s hardware configuration, e.g., the instruction-set architecture. Moreover, knowledge about specific environmental properties, such as the operating system, allows crafting more plausible dialogues for phishing attacks. In this paper, we present a fully automated approach to find subtle differences in browser engines caused by the environment. Furthermore, we present two new side-channel attacks on browser engines to detect the instruction-set architecture and the used memory allocator. Using these differences, we can deduce information about the system, both about the software as well as the hardware. As a result, we cannot only ease the creation of fingerprints, but we gain the advantage of having a more precise picture for targeted exploitation. Our approach allows automating the cumbersome manual search for such differences. We collect all data available to the JavaScript engine and build templates from these properties. If a property of such a template stays the same on one system but differs on a different system, we found an environment-dependent property. We found environment-dependent properties in Firefox, Chrome, Edge, and mobile Tor, allowing us to reveal the underlying operating system, CPU architecture, used privacy-enhancing plugins, as well as exact browser version. We stress that our method should be used in the development of browsers and privacy extensions to automatically find flaws in the implementation.

查看原文本刊更多论文

JavaScript模板攻击:自动推断主机信息的目标漏洞

如今，越来越多的web浏览器和扩展提供匿名功能来隐藏用户详细信息。这些功能主要用于逃避网站和广告的跟踪，也被犯罪分子用来防止身份识别。因此，不仅追踪公司，执法机构也有兴趣找到打破这些匿名特性的漏洞。例如，对于使用零天的目标利用，必须尽可能多地了解目标的信息。一次失败的利用尝试，例如，由于错误猜测操作系统，可以烧毁零日漏洞，有效地使攻击者损失金钱。此外，对于侧信道攻击，了解受害者硬件配置的某些方面是至关重要的，例如，指令集架构。此外，关于特定环境属性(如操作系统)的知识允许为网络钓鱼攻击制作更合理的对话。在本文中，我们提出了一种完全自动化的方法来发现由环境引起的浏览器引擎的细微差异。此外，我们还提出了两种新的针对浏览器引擎的侧信道攻击来检测指令集架构和使用的内存分配器。利用这些差异，我们可以推断出系统的信息，包括软件和硬件。因此，我们不仅可以简化指纹的创建，而且还可以获得更精确的图像以进行有针对性的利用。我们的方法允许对这些差异进行繁琐的手动搜索。我们收集JavaScript引擎可用的所有数据，并根据这些属性构建模板。如果这样一个模板的属性在一个系统上保持不变，但在另一个系统上有所不同，那么我们就找到了依赖于环境的属性。我们在Firefox、Chrome、Edge和移动Tor中发现了与环境相关的属性，使我们能够揭示底层操作系统、CPU架构、使用的隐私增强插件以及确切的浏览器版本。我们强调，我们的方法应该用于浏览器和隐私扩展的开发，以自动发现实现中的缺陷。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2019 Network and Distributed System Security Symposium

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格