A group of researchers has uncovered what looks to be the first browser-based side-channel attack that’s built entirely from CSS and HTML. The JavaScript-free attack has been found to work across most modern CPUs including Intel, AMD, Samsung, and Apple Silicon. Interestingly, the findings say Apple’s M1 and Samsung’s Exynos chips can sometimes be more susceptible to these novel attacks.

Cornell University published the new security paper by a group of researchers from University of Michigan, Ben-Gurion University of the Negev, and University of Adelaide (via The 8-bit).

In the opening, the researchers note that the usual fix to prevent cache-based side-channel attacks through browsers is to “disable or restrict JavaScript features deemed essential for carrying out attacks” with the goal to find out how effective that approach is.

In their work, they were able to create a new side-channel browser-based attack consisting of just CSS and HTML that makes it “architecturally agnostic” which opens the door to “microarchitectural website fingerprinting attacks.” That also means turning off JavaScript won’t prevent this type of attack.

While it looks like almost all architectures are susceptible to this newly discovered attack, the paper says that new Apple Silicon M1 and Samsung Exynos chips “are sometimes” weaker than Intel CPUs in this instance, possibly because of their cache design.

To assess the effectiveness of this approach, in this work we seek to identify those JavaScript features which are essential for carrying out a cache-based attack. We develop a sequence of attacks with progressively decreasing dependency on JavaScript features, culminating in the first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets (CSS) and HTML, and works even when script execution is completely blocked. We then show that avoiding JavaScript features makes our techniques architecturally agnostic, resulting in microarchitectural website fingerprinting attacks that work across hardware platforms including Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures.

Going further, the researchers found that the new attack worked to a degree even with hardened browsers such as Tor, Deter-Fox, and Chrome Zero.

Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies.

The paper was given ahead of publication to Apple, Intel, AMD, Chrome, and Mozilla.

As for fixes, the researchers say both software and hardware updates can solve the vulnerability.

Last week we saw a security update with macOS 11.2.3 that fixed an issue with web content that could lead to arbitrary code execution, first discovered by Google’s Threat Analysis team. We’ll keep an eye out for a future update that might protect against this new browser-based side-channel attack discovered in the paper above.

The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system.

  • Apple acts to prevent further spread of Silver Sparrow Mac malware
  • Mysterious macOS malware discovered with M1 optimization, threat remains unclear
  • First Apple Silicon optimized malware discovered in the wild