TY - GEN
T1 - Cache timing attacks revisited
T2 - 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015
AU - Bansal, Chetan
AU - Preibusch, Sören
AU - Milic-Frayling, Natasa
N1 - Publisher Copyright:
© IFIP International Federation for Information Processing 2015.
PY - 2015
Y1 - 2015
N2 - Cache Timing Attacks (CTAs) have been shown to leak Web browsing history. Until recently, they were deemed a limited threat to individuals’ privacy because of their narrow attack surface and vectors, and a lack of robustness and efficiency. Our attack implementation exploits the Web Worker APIs to parallelise cache probing (300 requests/second) and applies time-outs on cache requests to prevent cache pollution. We demonstrate robust cache attacks at the browser, operating system and Web proxy level. Private browsing sessions, HTTPS and corporate intranets are vulnerable. Through case studies of (1) anti-phishing protection in online banking, (2) Web search using the address bar in browsers, (3) publishing of personal images in social media, and (4) use of desktop search, we show that CTAs can seriously compromise privacy and security of individuals and organisations. Options for protection from CTAs are limited. The lack of effective defence, and the ability to mount attacks without cooperation of other websites, makes the improved CTAs serious contenders for cyber-espionage and a broad consumer and corporate surveillance.
AB - Cache Timing Attacks (CTAs) have been shown to leak Web browsing history. Until recently, they were deemed a limited threat to individuals’ privacy because of their narrow attack surface and vectors, and a lack of robustness and efficiency. Our attack implementation exploits the Web Worker APIs to parallelise cache probing (300 requests/second) and applies time-outs on cache requests to prevent cache pollution. We demonstrate robust cache attacks at the browser, operating system and Web proxy level. Private browsing sessions, HTTPS and corporate intranets are vulnerable. Through case studies of (1) anti-phishing protection in online banking, (2) Web search using the address bar in browsers, (3) publishing of personal images in social media, and (4) use of desktop search, we show that CTAs can seriously compromise privacy and security of individuals and organisations. Options for protection from CTAs are limited. The lack of effective defence, and the ability to mount attacks without cooperation of other websites, makes the improved CTAs serious contenders for cyber-espionage and a broad consumer and corporate surveillance.
KW - Browser history sniffing
KW - Cache timing attacks
KW - Cyber-espionage
KW - Cyber-security
KW - Privacy
UR - http://www.scopus.com/inward/record.url?scp=84942636681&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-18467-8_7
DO - 10.1007/978-3-319-18467-8_7
M3 - Conference contribution
AN - SCOPUS:84942636681
SN - 9783319184661
T3 - IFIP Advances in Information and Communication Technology
SP - 97
EP - 111
BT - ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings
A2 - Federrath, Hannes
A2 - Gollmann, Dieter
PB - Springer New York LLC
Y2 - 26 May 2015 through 28 May 2015
ER -