Full Disclosure mailing list archives
Re: fast and somewhat reliable cache timing
From: xD 0x41 <secn3t () gmail com>
Date: Sun, 4 Dec 2011 08:09:12 +1100
Yea, is interesting, i tested it on Firefox v8 windowsXP platform and it did not find anything, mind you i use 'private browsing' for *all* browsing... so i am wondering if that maybe helps keeping my cache secure... i also noticed that it returned no results, when in fact i had just been redirected from gmail to there, wich would mean google.com would have shown... so, private-browsing must be a safer way to browse.. very awesome PoC, i do recall also some botnet source codes in .cpp codes of bots wich can dump caches of upto i think FF4 or so now..when the dlls were used to store things possibly... i have not kept up with it, but that was in alot of bots, just called pstore.cpp and similarly the cmd could be done with .pstore website.com ,and that would do a cache search, for abut 5-6 browsers in one.. it managed to work with IE and FF anyhow, i tested srcs of 120- and nzmbot and they were able to extract infos they shouldnt have... Your eBook is definately on my to read list, and i am already l;ooking at the chapter.3 you give away free on your blog, actually, i know *anything* you write about, is going to be good :) cheers mate. d On 3 December 2011 22:50, Michele Orru <antisnatchor () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Great PoC Michal, I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX 10.6.8 and is reliable. I'm certainly adding it to the BeEF project. Cheers antisnatchor Michal Zalewski wrote:Evening, This party trick is not particularly exciting, but hopefully highlights a vaguely interesting point: http://lcamtuf.coredump.cx/cachetime/ In essence, in the past few years, browser vendors have severely crippled CSS :visited selectors in order to prevent CSS-based history snooping that made the headlines not long ago (see, for example, http://wtikay.com). Although it's fairly obvious that other privacy side channels, such as cache timing, theoretically disclose comparable data, the attacks demonstrated so far offered, at best, vaguely probabilistic results (say, http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that, cache probing was considered destructive, which significantly limited its usability. Consequently, an argument was made that CSS :visited offered unique performance and reliability benefits and needed to be addressed separately, while no serious work takes place on the remaining vectors. My PoC exploits cache timing in Firefox in what appears to be a fairly fast and reliable way. It is a crude hack, so it will probably fail for some of you - but it's probably still interesting. The key point is that to probe for cached content without immediately polluting the cache, we abort navigation before the HTTP request is made. We also work around setTimeout / setInterval clamps by leveraging event delivery. PS. If this is even remotely interesting, you may also enjoy http://lcamtuf.coredump.cx/tangled/ Cheers, /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE= =nUp+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- fast and somewhat reliable cache timing Michal Zalewski (Dec 02)
- Re: fast and somewhat reliable cache timing Michele Orru (Dec 03)
- Re: fast and somewhat reliable cache timing xD 0x41 (Dec 03)
- Message not available
- Re: fast and somewhat reliable cache timing xD 0x41 (Dec 03)
- Re: fast and somewhat reliable cache timing xD 0x41 (Dec 03)
- Re: fast and somewhat reliable cache timing Michele Orru (Dec 03)
- Re: fast and somewhat reliable cache timing Michal Zalewski (Dec 04)
- Re: fast and somewhat reliable cache timing xD 0x41 (Dec 04)