SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers

Thomas Rokicki, Clementine Maurice, Pierre Laperdrix
2021 2021 IEEE European Symposium on Security and Privacy (EuroS&P)  
JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion. In this paper, we present the
more » ... evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand: what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago. 7. Implementations of site isolation for firefox are developed. COOP/ COEP are implemented in Chrome but have no impact on timers.
doi:10.1109/eurosp51992.2021.00039 fatcat:5mdajbpt5zf5znd46mvmouaqva