Researchers discover JavaScript-free attack that affects Apple M1 chips
Security researchers have discovered what appears to be the first browser side-channel attack that's Javascript-free, and Apple M1 chips may be more vulnerable to it.
-l.jpg)
Credit: Andrew O'Hara, AppleInsider
The attack is built entirely from HTML and CSS, and is described as "architecturally agnostic." The researchers say they've found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs, according to The 8-Bit.
According to a research paper published by Cornell University, the researchers say they started with the goal of exploring how effective disabling or restricting JavaScript could be in mitigating attacks.
Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to "microarchitectural website fingerprinting attacks." It works even if script execution is completely blocked on a browser, they said.
The vulnerability could allow an attacker to eavesdrop on a user's web activity by leveraging features in the target's packet sequence. Not only can it bypass JavaScript being disabled, but it also disregards privacy technologies like VPNs or TOR.
The team, made up of researchers at the University of Michigan, University of the Negev, and University of Adelaide, say that they tested the attack on Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. Interestingly, while almost all CPU architectures are susceptible to the attack, the researchers claim that Apple's M1 and Samsung Exynos chips may be a bit more vulnerable to their exploits.
"Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies," the researchers wrote.
Even secure browsers like Tor, Deter-Fox, and Chrome Zero were found to be at least somewhat vulnerable to their CSS and HTML attack.
However, for the M1 chip, the team notes that the memory and cache subsystems of the Apple Silicon has yet to be studied in detail. Because of that, there may be a "grace period" in which attackers in the wild may find it difficult to target the Apple chips.
The researchers notified each chipmaker of their findings. In a statement to the researchers, Apple said the public disclosure of the attack didn't raise any concerns.
As far as potential fixes, the researchers say that the attack can be mitigated with either software or hardware updates. "The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system," they wrote.
This is the second vulnerability found to affect Apple's M1 chip that has surfaced in as many months. In February, researchers discovered a mysterious malware strain called Silver Sparrow that had the ability to run natively on Mac devices with M1 chips.
Because Apple was provided a copy of the research prior to publication, it's likely that the company is actively looking into the severity of the vulnerability. A fix for it, either in Safari or macOS, may arrive in the future.
Credit: Andrew O'Hara, AppleInsider
The attack is built entirely from HTML and CSS, and is described as "architecturally agnostic." The researchers say they've found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs, according to The 8-Bit.
According to a research paper published by Cornell University, the researchers say they started with the goal of exploring how effective disabling or restricting JavaScript could be in mitigating attacks.
Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to "microarchitectural website fingerprinting attacks." It works even if script execution is completely blocked on a browser, they said.
The vulnerability could allow an attacker to eavesdrop on a user's web activity by leveraging features in the target's packet sequence. Not only can it bypass JavaScript being disabled, but it also disregards privacy technologies like VPNs or TOR.
The team, made up of researchers at the University of Michigan, University of the Negev, and University of Adelaide, say that they tested the attack on Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. Interestingly, while almost all CPU architectures are susceptible to the attack, the researchers claim that Apple's M1 and Samsung Exynos chips may be a bit more vulnerable to their exploits.
"Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies," the researchers wrote.
Even secure browsers like Tor, Deter-Fox, and Chrome Zero were found to be at least somewhat vulnerable to their CSS and HTML attack.
However, for the M1 chip, the team notes that the memory and cache subsystems of the Apple Silicon has yet to be studied in detail. Because of that, there may be a "grace period" in which attackers in the wild may find it difficult to target the Apple chips.
The researchers notified each chipmaker of their findings. In a statement to the researchers, Apple said the public disclosure of the attack didn't raise any concerns.
As far as potential fixes, the researchers say that the attack can be mitigated with either software or hardware updates. "The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system," they wrote.
This is the second vulnerability found to affect Apple's M1 chip that has surfaced in as many months. In February, researchers discovered a mysterious malware strain called Silver Sparrow that had the ability to run natively on Mac devices with M1 chips.
Who's at risk, and how to protect yourself
The research described in the paper is more of a proof of concept that side-channel attacks are hard to prevent. At this point, it doesn't appear like this type of vulnerability is actively being exploited in the wild on Apple Silicon.Because Apple was provided a copy of the research prior to publication, it's likely that the company is actively looking into the severity of the vulnerability. A fix for it, either in Safari or macOS, may arrive in the future.
Comments
Chrome Zero - the browser you can't find in a Google Search, but plenty of zero-day reports! Well done!
So yes, as an individual attack path this is a minor risk to your devices. But the surveillance implications are ENORMOUS.
https://arxiv.org/pdf/2103.04952.pdf
These exploits try to get an accurate timer so they can tell things like location and browser history. For browser history, it's not able to read it, it has to try loading random sites and tell based on timing if the user visited it. The CSS exploit uses long HTML class names (2 million characters) to slow down the browser lookups. This can be blocked by capping the string size.
The kind of info they can get is not very detailed but for some cases, a location is enough. Website fingerprinting is trying to use the timings to tell which sites a person visited if those sites are in the cache. This could narrow down the user's location:
http://www.ijsrd.com/articles/IJSRDV3I1080.pdf
https://techxplore.com/news/2015-04-university-group-reveals-geo-inference-threat.html
The attacker has to be able to load the page on the victim's computer so that's a big hurdle to overcome first. If law enforcement was tracking a drug dealer using encrypted networks, they might be able to narrow down the locations of people or transactions. Ad companies like Facebook and Google could use these techniques to further circumvent browser privacy measures.
The amount of effort needed for these attacks to be useful and the limited info they provide means they shouldn't concern most people. They will be used by law enforcement for targeted attacks against people alongside other techniques. Here's a paper on techniques used on encrypted networks:
https://www.sec.cs.tu-bs.de/pubs/2015-asiaccs.pdf
When exploits are reported in the news, they are all labelled 'attacks' or 'malware' but exploits can vary a lot in what they do. An attack on a terminal shell to get root control over a computer is completely different from a browser attack that tries to guess where the user is located. They are all worth being aware of but a lot of them are only important to security researchers in the same way a rock hitting Saturn is for astronomers. They get excited about it and want everyone to know because it's their job but it doesn't have a real world impact on anyone else.