First Browser-Based Side-Channel attack against Apple’s M1 chips works even with Javascript disabled; more so than other architectures

M1 Chip Image

A team of researchers has demonstrated a new browser-based side-channel attack that works even if Javascript is blocked, one that affects hardware platforms including Intel Core, AMD Ryzen, Samsung Exynos, and even Apple’s M1 chips. Surprisingly, the researchers concluded that due to simpler cache replacement policies, their attacks are more effective on the M1 and Exynos chips.

To demonstrate the attack, researchers developed a sequence of attacks with decreased dependence on Javascript features which led to the “first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets (CSS) and HTML, and works even when script execution is completely blocked.

It’s also imperative to note that these attacks were demonstrated mainly using Google’s Chrome browser irrespective of the architecture. And due to the differences between security implementations of different browsers, the results of the attack may vary. So, if this test was performed on Safari on a Mac, it is likely the test would have returned a different result.

This vulnerability may lead to microarchitectural website fingerprinting attacks, the researchers say. A website fingerprinting attack allows an eavesdropper to determine the target’s web activity by leveraging features from the target’s packet sequence. This also effectively disregards the application of most privacy-protecting technologies such as VPNs, proxies, or even TOR.

According to a paper published by the researchers behind the demonstration, Javascript has become a popular way of conducting side-channel attacks. However, browsers employ a method in which an attacker is barred from precisely measuring time which is apparently essential in Javascript-based side-channel attacks.

“Side-channel attackers, in turn, attempt to get around these restrictions by creating makeshift timers with varying accuracies through the exploitation of other browser APIs, such as message passing or multithreading,” according to the paper.

Vulnerability
Closed-world accuracy across different architectures.

Among all the efforts made by browsers to block Javascript-based side-channel attacks, the easiest option is to disable Javascript entirely. Apple, for instance, offers an option within Safari settings on macOS to disable Javascript entirely as a way to mitigate such attacks.

Despite that, the new form of the attack demonstrated by researchers from universities in the United States, Australia, and Israel is effective as it only relies on CSS and HTML, making it the first side-channel attack that works on Apple’s M1 chips, while there is precedent among other processors affected by it including Intel-based Macs.

According to the research paper, the analysis is focused on Prime + Probe, which is a cache side-channel attack that holds the ability to detect which cache sets are accessed by the target, which can then be used to gain insight on the target:

“Besides being influenced by defenses, microarchitectural attacks are also affected by an increased hardware diversification in consumer devices. While the market for high-end processors used to be dominated by Intel, the past few years have seen an increase in popularity of other alternatives, such as AMD’s Zen architecture, Samsung’s Exynos, and the recently launched Apple M1 cores.

Empirically demonstrating this, we evaluate our attacks on AMD’s Ryzen, Samsung’s Exynos, and Apple’s M1 architectures. Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies.”

The level of success of the attack depends on the targeted architecture and the defenses employed within. The attack even works against hardened browser environments including Tor Browser, Chrome Zero, and more on devices with Intel, AMD, Samsung, and Apple’s M1 chips.

The researchers went on to notify the impacted chip vendors. Apple responded stating that the public disclosure of their findings does not raise any concerns.

“We hypothesize that the M1 architecture makes use of less advanced cache heuristics, and that, as a result, the simplistic memory sweeps our attack performs are more capable of flushing the entire cache on these devices than they are on the Intel architecture.

Cache attacks cannot be prevented by reduced timer resolution, by the abolition of timers, threads, or arrays, or even by completely disabling scripting support. This implies that any secret-bearing process which shares cache resources with a browser connecting to untrusted websites is potentially at risk of exposure.”

Finally, the researchers note that since the memory and cache subsystem of Apple’s M1 chips haven’t been studied in detail yet, it leaves room for a “grace period” where attackers will find the target difficult to conquer. Nevertheless, it’s still possible.

This paper published by researchers treads more on the possibility of a browser-based, side-channel attack on Apple’s and other manufacturers chip architectures as opposed to an describing as an imminent threat or calling it a certainty. This is mainly because conducting a cache timing attack is quite difficult.

This is the second vulnerability found that affects Apple’s M1 Macs in a span of two months. Last month, security researchers from Red Canary discovered a dormant but dangerous malware called Silver Sparrow that has the ability to natively run on Macs with M1 Chips, affecting more than 30,000 users.

Apple implemented necessary measures including revoking certificates for the developer’s account from where the malware originated. While this rules out new Macs from being affected, M1-based Macs which already contain the malware are still at risk.

The full paper is an interesting read. you can check it out here.


Update 4:20 PM PT: Updated the article for improved clarity.