w3c / hr-time

High Resolution Time
https://w3c.github.io/hr-time/
Other
52 stars 24 forks source link

Security and privacy considerations for DOMHighResTimeStamp resolution #79

Open igrigorik opened 5 years ago

igrigorik commented 5 years ago

Note: the intent of this issue is to provide a reference and track the ongoing research, discussions, proposals, and implementation techniques employed by various browsers on how they expose or provide access to high resolution time.


Paraphrasing Section 7.1: Clock resolution...

Access to accurate timing information, both for measurement and scheduling purposes, is a common requirement for many applications... This specification defines an API that provides sub-millisecond time resolution, which is more accurate than the previously available millisecond resolution exposed by DOMTimeStamp.

... Access to the same accurate timing information can sometimes be also used for malicious purposes by an attacker to guess and infer data that they can't see or access otherwise.

To ensure that the new API does not significantly improve the accuracy or speed of such attacks, the recommended minimum resolution of the DOMHighResTimeStamp type should be inaccurate enough to prevent attacks... In order to mitigate such attacks user agents may deploy any technique they deem necessary. These techniques may include: Resolution reduction, added jitter, abuse detection and/or API call throttling.

This problem space space remains an unsolved and an evolving one. There is no existing industry consensus or a definitive set of recommendations that applies to all browsers, which is reflected in the range of different implementations and platform-specific techniques used by various browsers.


Relevant prior art and discussions:

  1. Reducing resolution (SPECTRE and microarchitecture timing attacks): https://github.com/w3c/hr-time/issues/56
  2. PING review feedback: https://github.com/w3c/hr-time/issues/20
yoavweiss commented 5 years ago

Thanks for filing that!

When looking at this space, I think it's critical to understand which of the potential attack vectors are not either of:

I also think that any such remaining attack vectors are something which we should take into consideration with any of the implicit timers we have or planning to have in the platform (SharedArrayBuffers, postMessage, requestAnimationFrame, Date.now(), etc).

tildelowengrimm commented 5 years ago

@yoavweiss Am I correct in understanding that this is the single open issue which represents the items raised by PING during review?

igrigorik commented 5 years ago

@tomlowenthal per my note in the introduction..

the intent of this issue is to provide a reference and track the ongoing research, discussions, proposals, and implementation techniques employed by various browsers on how they expose or provide access to high resolution time.

As discussed in https://github.com/w3c/hr-time/issues/20#issuecomment-506804763 (please see linked doc), HR-Time as a spec offers more than sub-millisecond resolution and the intent of this thread is specifically to track ongoing discussions on various implementation strategies of providing sub-millisecond resolution. If that's what you're referring to in your comment, then yes this is the right thread to continue the conversation.

pes10k commented 5 years ago

Thanks for following up here everyone. Just to reiterate, there are a number of concerns with exposing / adding more HRT timers; the concern is not only that Spectre mitigations don't address all the privacy violating timing attacks on the platform. Here's an overview of the topics that came up in the previous issue, and during the calls we had.

Technical concerns

Spectre mitigations (e.g. process isolation) address only some of the ways HRT can be used to harm privacy. Exactly which attacks depend on implementation details, but a partial list include:

1: Micro architecture attacks

  1. History Sniffing
    • Smith, Michael, et al. "Browser history re: visited." 12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18). 2018.

Would be happy to share more examples as needed…

Existing timing sources are rarer than they appear

Much of the argument is that there are already many existing HRT sources, so adding more has low marginal privacy cost. Besides being a privacy-harming way of approaching the issue (b/c of the way that functionality is hard to extract from the environment, privacy-debt-etc), we also believe that there are less of existing sources of HRT that are suggested.

The frequently cited paper, "Fantastic Timers", conflates async implicit timers (e.g. postMessage), which would be much easier to address w/o breaking existing sites, w/ synchronous timers (e.g. performance.now) which would be harder to remediate w/o breaking promised / standardized functionality (e.g. a 5us performance.now enables 2ns-resolution timing).

Process concerns

W3C generally expects to shipping implementations of a standard prior to standardization. Firefox and Safari both don't implement the core feature of the standard (namely returning high-resolution time stamps), and so the standard does not seem to meet the expected bar.

Additionally, it's not a good practice to ship this standard, under the expectation that a future standard will correct it. That removes flexibility / options from the people working on that future standard, leaves users vulnerable in the interim, and makes it difficult-to-impossible the privacy impact of the current standard while the future standard is in flux.

Not User Serving

To echo the point @samuelweiler made on the call, the user-serving case for the feature seem narrow and uncommon. Making HRT globally available, when their user-serving cases are narrow, violates basic privacy and security principals (e.g. least privilege, etc.). The user serving cases mentioned in the standard appear to be achievable with greatly restricted feature availability.

Precaution

There are mountains of papers and attacks that leverage HRT timing signals. Its worth being extremely cautious before introducing more sources of HRT into the environment then, especially (but not only) because the positive use cases seem very uncommon.

igrigorik commented 5 years ago

@snyderp thanks for your feedback. I feel that we're (still) talking past each other a bit here though..

These bits, I believe, we agree on.

W3C generally expects to shipping implementations of a standard prior to standardization. Firefox and Safari both don't implement the core feature of the standard (namely returning high-resolution time stamps), and so the standard does not seem to meet the expected bar.

I disagree with this evaluation. Please see our earlier discussion in https://github.com/w3c/hr-time/issues/20#issuecomment-506804763. The specification offers multiple important features, one of which is exposing DOMHighResTimestamp, and specifically allows user agents to adjust the exposed resolution. Implementations that chose to raise it to same same resolution as Date.now(), or anything in between 5us-1ms, are compliant.

The user serving cases mentioned in the standard appear to be achievable with greatly restricted feature availability.

This touches on the same themes I covered in https://github.com/w3c/hr-time/issues/20#issuecomment-506804763. Unfortunately I'm not aware of any strategies to restrict access with reasonable consensus amongst implementers.

yoavweiss commented 5 years ago

Technical concerns

@snyderp - Thanks for outlining your concerns. I understand you're relatively new to the standards world, but here we typically try to be respectful of people's time and avoid sending multiple ~20 page papers as an exercise to the reader. In the future when referring to such work, it'd be great if you could link to it, and sum up the different attacks that it details.

In order to better communicate your concerns to folks on this issue, I took the liberty to try and sum up the attacks you pointed out.

1: Micro architecture attacks

  • Andrysco, Marc, et al. "On subnormal floating point and abnormal timing." 2015 IEEE Symposium on Security and Privacy. IEEE, 2015.

This attack is a "pixel stealing" attack (which can reveal sensitive contents inside a cross-origin resource or iframe, or the user's history through :visited links).

It is using the following facts:

The attack then:

While the attack does use performance.now(), it doesn't really rely on its sub-millisecond characteristics and mostly relies on requestAnimationFrame(), which has 16ms granularity by default. I suspect that Date.now() would have done just fine here, and no high-precision timers are needed for this attack to be successful.

If I had to look for the root cause here, I'd probably start with the application of SVG filters across-origins in unrestricted ways (e.g. in ways that enable the element() CSS function to inspect its results).

  • Kohlbrenner, David, and Hovav Shacham. "On the effectiveness of mitigations against floating-point timing channels." 26th {USENIX} Security Symposium ({USENIX} Security 17). 2017.

This fascinating talk explores mitigations to the previously described pixel-stealing vulnerability, and bugs in those mitigations.

The mitigations described:

Note that no browser considered disabling or adding a permission prompt for the use of requestAnimationFrame().

  • Oren, Yossef, et al. "The spy in the sandbox: Practical cache attacks in javascript and their implications." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015.

This attack is based on the fact that some CPU caches are shared between different processes and other trust boundaries, and timing attacks can be used to inspect those caches and conclude things regarding user activity (e.g. keystroke/mouse events, presence of a user through ambient light sensors, etc).

A few highlights from the paper:

IIRC, that last point is the reason the granularity of HR-time was limited to 5 microseconds.

@snyderp - Do you know how native OSes deal with that type of attacks? Are they limiting access to timers in similar scenarios? Are there other mitigations used there that we could borrow?

  1. History Sniffing
  • Smith, Michael, et al. "Browser history re: visited." 12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18). 2018.

This paper presents four different attacks which reveal the user's history.

IMO, the root cause for all these attacks that inspect :visited links is, well... the existence of :visited links across origins. We should double-key visited links (at least by default), so that they'd be decorated on the top-level origin where the user originally clicked those links, but not on unrelated sites, running a risk of exposing the user's browser history.

Would be happy to share more examples as needed…

Could you share examples where these 3 conditions are met?

Existing timing sources are rarer than they appear

Much of the argument is that there are already many existing HRT sources, so adding more has low marginal privacy cost. Besides being a privacy-harming way of approaching the issue (b/c of the way that functionality is hard to extract from the environment, privacy-debt-etc), we also believe that there are less of existing sources of HRT that are suggested.

The frequently cited paper, "Fantastic Timers", conflates async implicit timers (e.g. postMessage), which would be much easier to address w/o breaking existing sites, w/ synchronous timers (e.g. performance.now) which would be harder to remediate w/o breaking promised / standardized functionality (e.g. a 5us performance.now enables 2ns-resolution timing).

Could you expand on how performance.now() enables 2ns resolution?

samuelweiler commented 5 years ago

I'm continuing some discussions in https://github.com/w3c/hr-time/issues/20

annevk commented 4 years ago

89 might be of interest.

I don't really understand the Firefox claim above by the way, is there a test that demonstrates the issue?

pes10k commented 4 years ago

@annevk if its not correct that Firefox is still reducing the precision of DOMHighResTimeStamps, thats good to know. It might be that policy has changed (this issue is > a year old), or I could have been incorrect from the gitgo, OR maybe i confused the mitigations discussed here (https://developer.mozilla.org/en-US/docs/Web/API/DOMHighResTimeStamp) with whats is / was shipping at the time.

annevk commented 4 years ago

Precision is reduced (since yesterday modulo cross-origin isolated, which made me file #89), but the specification explicitly encourages that.

rniwa commented 4 years ago

FWIW, we have no plan to change the precision of 1ms for now.

npm1 commented 4 years ago

Should we change some of the spec wording where it's mentioning 'sub-millisecond' resolution? AFAIK that's not a spec requirement, and it may be better to avoid saying this if Webkit does not provide sub-millisecond resolution.

clelland commented 2 years ago

@yoavweiss, it's not clear whether there's anything actionable here. Do we need to append any of this discussion to the privacy section of the spec, or have the relevant coarsening issues been dealt with in the meantime?

yoavweiss commented 2 years ago

Agree that this is not actionable, but we were asked to keep this issue open to enable feedback from PING. @pes10k - should we still keep this open?