Researchers discover JavaScript-free attack that affects Apple M1 chips

Posted:
in General Discussion edited March 11
Security researchers have discovered what appears to be the first browser side-channel attack that's Javascript-free, and Apple M1 chips may be more vulnerable to it.

Credit: Andrew O'Hara, AppleInsider
Credit: Andrew O'Hara, AppleInsider


The attack is built entirely from HTML and CSS, and is described as "architecturally agnostic." The researchers say they've found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs, according to The 8-Bit.

According to a research paper published by Cornell University, the researchers say they started with the goal of exploring how effective disabling or restricting JavaScript could be in mitigating attacks.

Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to "microarchitectural website fingerprinting attacks." It works even if script execution is completely blocked on a browser, they said.

The vulnerability could allow an attacker to eavesdrop on a user's web activity by leveraging features in the target's packet sequence. Not only can it bypass JavaScript being disabled, but it also disregards privacy technologies like VPNs or TOR.

The team, made up of researchers at the University of Michigan, University of the Negev, and University of Adelaide, say that they tested the attack on Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. Interestingly, while almost all CPU architectures are susceptible to the attack, the researchers claim that Apple's M1 and Samsung Exynos chips may be a bit more vulnerable to their exploits.

"Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies," the researchers wrote.

Even secure browsers like Tor, Deter-Fox, and Chrome Zero were found to be at least somewhat vulnerable to their CSS and HTML attack.

However, for the M1 chip, the team notes that the memory and cache subsystems of the Apple Silicon has yet to be studied in detail. Because of that, there may be a "grace period" in which attackers in the wild may find it difficult to target the Apple chips.

The researchers notified each chipmaker of their findings. In a statement to the researchers, Apple said the public disclosure of the attack didn't raise any concerns.

As far as potential fixes, the researchers say that the attack can be mitigated with either software or hardware updates. "The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system," they wrote.

This is the second vulnerability found to affect Apple's M1 chip that has surfaced in as many months. In February, researchers discovered a mysterious malware strain called Silver Sparrow that had the ability to run natively on Mac devices with M1 chips.

Who's at risk, and how to protect yourself

The research described in the paper is more of a proof of concept that side-channel attacks are hard to prevent. At this point, it doesn't appear like this type of vulnerability is actively being exploited in the wild on Apple Silicon.

Because Apple was provided a copy of the research prior to publication, it's likely that the company is actively looking into the severity of the vulnerability. A fix for it, either in Safari or macOS, may arrive in the future.

Comments

  • Reply 1 of 10
    mknelsonmknelson Posts: 827member
    So, affects pretty much everybody.

    Chrome Zero - the browser you can't find in a Google Search, but plenty of zero-day reports! Well done!  :D
    watto_cobra
  • Reply 2 of 10
    bloggerblogbloggerblog Posts: 2,078member
    So they discovered the government’s “back door” 
    watto_cobra
  • Reply 3 of 10
    At least as described in the paper, this finding isn't that alarming on it's own.  It's impressive that they could do it, but the information they can glean (at this point) is relatively trivial.  They can high a high degree of certainty predicted whether you have recently visited a web page--that they themselves have accessed.  So if today I went to page with their exploit, if they were checking whether I had recently been to the AI home page, they would be able to predict that I had.  That's not great, but it's not putting anything I care about (except my browsing habits) at risk.  The key parts are a) they have to "ask" about a particular page, b) they have to have the contents of that page, and c) all they get back is an estimate of the likelihood that I frequent that page.  Again, that's very impressive and creepy, but for most people this isn't a serious exploit.
    applguywatto_cobra
  • Reply 4 of 10
    MplsPMplsP Posts: 3,260member
    It seems like this is primarily a software bug rather than a hardware one and as such should be able to be patched with an update. 

    I’m not really seeing how it’s different from the other bugs that need patching. 
    muthuk_vanalingamwatto_cobra
  • Reply 5 of 10
    crowleycrowley Posts: 8,743member
    I don't even understand how a HTML/CSS exploit could affect a computer at the microprocessor level.  Seems mental.
  • Reply 6 of 10
    At least as described in the paper, this finding isn't that alarming on it's own.  It's impressive that they could do it, but the information they can glean (at this point) is relatively trivial.  They can high a high degree of certainty predicted whether you have recently visited a web page--that they themselves have accessed.  So if today I went to page with their exploit, if they were checking whether I had recently been to the AI home page, they would be able to predict that I had.  That's not great, but it's not putting anything I care about (except my browsing habits) at risk.  The key parts are a) they have to "ask" about a particular page, b) they have to have the contents of that page, and c) all they get back is an estimate of the likelihood that I frequent that page.  Again, that's very impressive and creepy, but for most people this isn't a serious exploit.
    Imagine Facebook, TikTok, Twitter or any other internet-scale business with an advertising-funded financial basis taking advantage of this approach. Google already have pretty much every web page that ever existed cached somewhere.

    So yes, as an individual attack path this is a minor risk to your devices. But the surveillance implications are ENORMOUS.
    watto_cobra
  • Reply 7 of 10
    For privacy, sure this isn’t good. As for a attack, not much. It isn’t installing malware or anything like that. 
    randominternetpersonwatto_cobra
  • Reply 8 of 10
    jdb8167jdb8167 Posts: 620member
    Calling Silver Sparrow a vulnerability is ridiculous. It is just compiled code signed with a developer certificate. Compiled for an M1 processor. It implies that anything malicious that is meant to run on a computer is a vulnerability. It renders the word vulnerability meaningless. 
    macplusplusRayz2016watto_cobra
  • Reply 9 of 10
    Potential problem with the research and conclusion is they used Chrome for testing Macs. Safari isn’t used or mentioned in the paper. Particularly, when they said M1s were more vulnerable, it was a comparison between Macs running Chrome. I’m wishing they used Safari and MS Edge as comparisons. Thankfully the paper was free to read through. 
    watto_cobra
  • Reply 10 of 10
    MarvinMarvin Posts: 14,548moderator
    crowley said:
    I don't even understand how a HTML/CSS exploit could affect a computer at the microprocessor level.  Seems mental.
    The paper has some details on how they do this (figure 3):

    https://arxiv.org/pdf/2103.04952.pdf

    These exploits try to get an accurate timer so they can tell things like location and browser history. For browser history, it's not able to read it, it has to try loading random sites and tell based on timing if the user visited it. The CSS exploit uses long HTML class names (2 million characters) to slow down the browser lookups. This can be blocked by capping the string size.

    The kind of info they can get is not very detailed but for some cases, a location is enough. Website fingerprinting is trying to use the timings to tell which sites a person visited if those sites are in the cache. This could narrow down the user's location:

    http://www.ijsrd.com/articles/IJSRDV3I1080.pdf
    https://techxplore.com/news/2015-04-university-group-reveals-geo-inference-threat.html

    The attacker has to be able to load the page on the victim's computer so that's a big hurdle to overcome first. If law enforcement was tracking a drug dealer using encrypted networks, they might be able to narrow down the locations of people or transactions. Ad companies like Facebook and Google could use these techniques to further circumvent browser privacy measures.

    The amount of effort needed for these attacks to be useful and the limited info they provide means they shouldn't concern most people. They will be used by law enforcement for targeted attacks against people alongside other techniques. Here's a paper on techniques used on encrypted networks:

    https://www.sec.cs.tu-bs.de/pubs/2015-asiaccs.pdf

    When exploits are reported in the news, they are all labelled 'attacks' or 'malware' but exploits can vary a lot in what they do. An attack on a terminal shell to get root control over a computer is completely different from a browser attack that tries to guess where the user is located. They are all worth being aware of but a lot of them are only important to security researchers in the same way a rock hitting Saturn is for astronomers. They get excited about it and want everyone to know because it's their job but it doesn't have a real world impact on anyone else.
    Fidonet127randominternetpersonGG1muthuk_vanalingamwatto_cobra
Sign In or Register to comment.