Defending against JavaScript side-channels

  1. JavaScript has ArrayBuffers — what is effectively a block of virtual memory that is directly accessible to the user in a fast and efficient way
  2. Browsers allocate ArrayBuffers in a page-aligned manner (at the start of a new physical page, and with the least significant 12 bits set to ‘0’)
  3. Browsers use mmap to allocate larger chunks of memory
  4. mmap is optimized to allocate 2 MB transparent huge pages (THP).
  1. Buffer ASLR: When you ask for an ArrayBuffer, behind the scenes, the request adds an extra 4KB. The array you get back is randomly located within that “size + 4KB” array that was actually allocated. This prevents attackers from assuming that the array starts at a new physical page.
  2. Preloading: When the array is allocated, the system proceeds to iterate through it, triggering all the page-faults. That way, the user can’t trigger page-faults by iterating through the array (it’s already loaded in memory!), and finding page boundaries
  3. Non-determinism: The array’s setter is modified so that each access also involves an access to a random location in the same array. That way, the attacker can’t know the actual index at which a page-fault was triggered (it prevents the user from just waiting for the Preloaded pages to be swapped out)

--

--

That Tall Bald Indian Guy…

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store