Defending against JavaScript side-channels

  1. JavaScript has ArrayBuffers — what is effectively a block of virtual memory that is directly accessible to the user in a fast and efficient way
  2. Browsers allocate ArrayBuffers in a page-aligned manner (at the start of a new physical page, and with the least significant 12 bits set to ‘0’)
  3. Browsers use mmap to allocate larger chunks of memory
  4. mmap is optimized to allocate 2 MB transparent huge pages (THP).
  1. Buffer ASLR: When you ask for an ArrayBuffer, behind the scenes, the request adds an extra 4KB. The array you get back is randomly located within that “size + 4KB” array that was actually allocated. This prevents attackers from assuming that the array starts at a new physical page.
  2. Preloading: When the array is allocated, the system proceeds to iterate through it, triggering all the page-faults. That way, the user can’t trigger page-faults by iterating through the array (it’s already loaded in memory!), and finding page boundaries
  3. Non-determinism: The array’s setter is modified so that each access also involves an access to a random location in the same array. That way, the attacker can’t know the actual index at which a page-fault was triggered (it prevents the user from just waiting for the Preloaded pages to be swapped out)



That Tall Bald Indian Guy…

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store