Potential keystroke side-channel leakage
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
People
(Reporter: mccr8, Assigned: nika)
References
()
Details
(Keywords: csectype-disclosure, sec-moderate, Whiteboard: [pixel-stealing][post-critsmash-triage][adv-main107+][adv-esr102.5+])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-esr102+
|
Details | Review |
|
296 bytes,
text/plain
|
Details |
I noticed a recently-public Chromium security issue involving possible cross-process leaking of information about keystrokes. The basic issue is something like, keyboard events have strings like "KeyA" associated with them that are at fixed, known, and widely-spread addresses. This means that using Prime+Probe kind of cache attacks you can maybe figure out which keys are being pressed.
Nika thinks we could be affected by the same issue, because the top level event table contains pointers to strings which the linker could put wherever, but we could also fix this by doing what the GK atoms stuff does that globs all of the strings together in a giant table. Chrome worked around it by dynamically generating the strings at runtime.
It sounds like a Chromium person thought a packed string table isn't sufficient: "this seems inevitable even with a closely packed string table, since the granulraity of the attack is ~cache-lines?".
I'm not sure what the rating for this should be. It looks like Chrome rated it Security_Severity-Medium.
|
Reporter | |
Comment 1•2 years ago
|
||
Nika said she might have time to implement the packed table approach.
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
They're dynamically generating them per-content-process after any sort of forkserver behavior, I assume. Otherwise I would think the content processes would share stringd at the same address and that just adds the step "Find the location of the strings in memory" to the attack, as an attacker reading process memory is within the threat-model post-Spectre.
This isn't really pixel stealing, but that tag has kind of become a catchall for timing attacks.
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
Dynamically generate DOM code names for some continuous runs of codes, r=mccr8
https://hg.mozilla.org/integration/autoland/rev/ede1bcf6f11c0f75e450e4a7516b7aae8091817b
https://hg.mozilla.org/mozilla-central/rev/ede1bcf6f11c
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 5•2 years ago
|
||
Please nominate this for ESR102 approval when you get a chance. It grafts cleanly.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
Comment on attachment 9298651 [details]
Bug 1793676 - Dynamically generate DOM code names for some continuous runs of codes, r=mccr8!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Easy uplift for potential sec bug fixed by chromium
- User impact if declined: potential side-channel for keystrokes
- Fix Landed on Version: 107
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple change which grafts cleanly
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9298651 [details]
Bug 1793676 - Dynamically generate DOM code names for some continuous runs of codes, r=mccr8!
Approved for 102.5esr.
|
|
||
Comment 8•2 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•