Re: fast and somewhat reliable cache timing

[xD 0x41 <secn3t () gmail com>]

Yea, is interesting, i tested it on Firefox v8 windowsXP platform and
it did not find anything, mind you i use 'private browsing' for *all*
browsing... so i am wondering if that maybe helps keeping my cache
secure... i also noticed that it returned no results, when in fact i
had just been redirected from gmail to there, wich would mean
google.com would have shown... so, private-browsing must be a safer
way to browse.. very awesome PoC, i do recall also some botnet source
codes in .cpp codes of bots wich can dump caches of upto i think FF4
or so now..when the dlls were used to store things possibly... i have
not kept up with it, but that was in alot of bots, just called
pstore.cpp and similarly the cmd could be done with .pstore
website.com ,and that would do a cache search, for abut 5-6 browsers
in one.. it managed to work with IE and FF anyhow, i tested srcs of
120- and nzmbot and they were able to extract infos they shouldnt
have...
Your eBook is definately on my to read list, and i am already l;ooking
at the chapter.3 you give away free on your blog, actually, i know
*anything* you write about, is going to be good :)
cheers mate.
d


On 3 December 2011 22:50, Michele Orru <antisnatchor () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Great PoC Michal,
>
> I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX
> 10.6.8 and is reliable.
>
> I'm certainly adding it to the BeEF project.
>
> Cheers
> antisnatchor
>
> Michal Zalewski wrote:
> > Evening,
> >
> > This party trick is not particularly exciting, but hopefully
> > highlights a vaguely interesting point:
> >
> > http://lcamtuf.coredump.cx/cachetime/
> >
> > In essence, in the past few years, browser vendors have severely
> > crippled CSS :visited selectors in order to prevent CSS-based history
> > snooping that made the headlines not long ago (see, for example,
> > http://wtikay.com).  Although it's fairly obvious that other privacy
> > side channels, such as cache timing, theoretically disclose comparable
> > data, the attacks demonstrated so far offered, at best, vaguely
> > probabilistic results (say,
> > http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that,
> > cache probing was considered destructive, which significantly limited
> > its usability.
> >
> > Consequently, an argument was made that CSS :visited offered unique
> > performance and reliability benefits and needed to be addressed
> > separately, while no serious work takes place on the remaining
> > vectors.
> >
> > My PoC exploits cache timing in Firefox in what appears to be a fairly
> > fast and reliable way. It is a crude hack, so it will probably fail
> > for some of you - but it's probably still interesting. The key point
> > is that to probe for cached content without immediately polluting the
> > cache, we abort navigation before the HTTP request is made. We also
> > work around setTimeout / setInterval clamps by leveraging event
> > delivery.
> >
> > PS. If this is even remotely interesting, you may also enjoy
> > http://lcamtuf.coredump.cx/tangled/
> >
> > Cheers,
> > /mz
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW
> C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR
> 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX
> 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm
> 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk
> Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE=
> =nUp+
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/