Simple explanation of what is "CSS PP0"?

[barbaz]

v 11.2.4rc1
============================================================
x CSS resources prefetching as a mitigation against CSS PP0
(https://github.com/Yossioren/pp0)

I tried to read about this "CSS PP0" but couldn't get my head around the information in that link or their website. Could someone please explain at my level what is "CSS PP0"? Thanks.

[Giorgio Maone]

Probably my fault, since in the changelog I've referenced the code repository containing the proof of concept artifacts, rather than the main page containing the abstract and the actual paper, which is quite an enjoyable read.
What we're talking about is a cache-timing side channel attack, i.e. part of a class of attacks aimed at stealing "secrets" (such as cryptographic keys or passwords) memory by exploiting caches at any level (from the CPU architecture up to the application and the network layer).
Famous examples are Spectre and Meltdown, which can be exploited using JavaScript as demonstrated here.
Yossi Oren and his team here demonstrate how to mount an attack in the same class (in this specific case aimed at leaking the pages open in the other tabs of the same browser) abusing less and less of the JavaScript features which are thought to be required (e.g. various kind of timers and pseudo-timers) and culminating with the scriptless, entirely CSS-based, Prime+Probe attack which, as such, evades even NoScript: not in the Tor Browser, because of DNS noise introduced by the Tor network, and hopefully not from 11.2.4 on

[barbaz]

Thanks Giorgio for explaining the security consequences of this exploit. I did try to read that main page and the paper before posting, but still can't get my head around it and how it works

Looking at the NoScript code, I played around with a simple <link rel="stylesheet"> on my local server, and noticed couple things -

1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -

Code: Select all

SecurityError: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet prefetchCSSResources.js:52

Does it matter?

2) In the prefetchCSSResources.js file -

Code: Select all

function prefetchCSSResources(only3rdParty = fals, ruleCallback = null) {

Is "fals" intended to be "false"?

[Giorgio Maone]

1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -

Code: Select all

SecurityError: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet prefetchCSSResources.js:52

Does it matter?

This might matter, and I'm working on a way to fix it.

2) In the prefetchCSSResources.js file -

Code: Select all

function prefetchCSSResources(only3rdParty = fals, ruleCallback = null) {

Is "fals" intended to be "false"?

Yes, it is, and it's already fixed in NSCL, but this actually does not matter for NoScript, which passes that argument explicitly.

[skriptimaahinen]

Two things that came in to mind when skimming through the white paper:

The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?

The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself. The paper seems to only mention extracting info about the sites the victim has visited. Assuming that the attacker is already logging your DNS queries for all the sites you visit, can the cache probing reveal much anything else?

[Giorgio Maone]

The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?

The whole class of attacks is aimed at CPU memory caches, not browser caches. It's meant to guess secrets (e.g. crypto keys) from volatile memory by exploiting the different latency between "primed" (recently accessed) data and the rest.
This is pretty browser-independent (the Tor Browser is immune just because of the way it handles DNS requests, introducing a lot of noise).
Browser cache partitioning, instead, prevents 3rd parties site to guess navigation-related secrets cross-site by measuring the time to access resources, but it's a different story.

The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself.

Not at all. The attacker just needs to configure an authoritative DNS server from a domain name under his control, with a 0 TTL and never actually resolved the random subdmains generated by the attack page, in order to be reached no matter the DNS server actually configured in the browser (a similar trick is used for any DNS rebinding attack).