Simple explanation of what is "CSS PP0"?

General discussion about the NoScript extension for Firefox
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Simple explanation of what is "CSS PP0"?

Post by barbaz »

https://noscript.net/getit#devel wrote:v 11.2.4rc1
============================================================
x CSS resources prefetching as a mitigation against CSS PP0
(https://github.com/Yossioren/pp0)
I tried to read about this "CSS PP0" but couldn't get my head around the information in that link or their website. Could someone please explain at my level what is "CSS PP0"? Thanks.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Simple explanation of what is "CSS PP0"?

Post by Giorgio Maone »

Probably my fault, since in the changelog I've referenced the code repository containing the proof of concept artifacts, rather than the main page containing the abstract and the actual paper, which is quite an enjoyable read.
What we're talking about is a cache-timing side channel attack, i.e. part of a class of attacks aimed at stealing "secrets" (such as cryptographic keys or passwords) memory by exploiting caches at any level (from the CPU architecture up to the application and the network layer).
Famous examples are Spectre and Meltdown, which can be exploited using JavaScript as demonstrated here.
Yossi Oren and his team here demonstrate how to mount an attack in the same class (in this specific case aimed at leaking the pages open in the other tabs of the same browser) abusing less and less of the JavaScript features which are thought to be required (e.g. various kind of timers and pseudo-timers) and culminating with the scriptless, entirely CSS-based, Prime+Probe attack which, as such, evades even NoScript: not in the Tor Browser, because of DNS noise introduced by the Tor network, and hopefully not from 11.2.4 on :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Simple explanation of what is "CSS PP0"?

Post by barbaz »

Thanks Giorgio for explaining the security consequences of this exploit. I did try to read that main page and the paper before posting, but still can't get my head around it and how it works :?

Looking at the NoScript code, I played around with a simple <link rel="stylesheet"> on my local server, and noticed couple things -

1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -

Code: Select all

SecurityError: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet prefetchCSSResources.js:52
Does it matter?

2) In the prefetchCSSResources.js file -

Code: Select all

function prefetchCSSResources(only3rdParty = fals, ruleCallback = null) {
Is "fals" intended to be "false"?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Simple explanation of what is "CSS PP0"?

Post by Giorgio Maone »

barbaz wrote: Sun Mar 14, 2021 5:50 pm 1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -

Code: Select all

SecurityError: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet prefetchCSSResources.js:52
Does it matter?
This might matter, and I'm working on a way to fix it.
barbaz wrote: Sun Mar 14, 2021 5:50 pm 2) In the prefetchCSSResources.js file -

Code: Select all

function prefetchCSSResources(only3rdParty = fals, ruleCallback = null) {
Is "fals" intended to be "false"?
Yes, it is, and it's already fixed in NSCL, but this actually does not matter for NoScript, which passes that argument explicitly.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Simple explanation of what is "CSS PP0"?

Post by skriptimaahinen »

Two things that came in to mind when skimming through the white paper:

The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?

The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself. The paper seems to only mention extracting info about the sites the victim has visited. Assuming that the attacker is already logging your DNS queries for all the sites you visit, can the cache probing reveal much anything else?
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Simple explanation of what is "CSS PP0"?

Post by Giorgio Maone »

skriptimaahinen wrote: Sun Apr 04, 2021 8:53 am The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?
The whole class of attacks is aimed at CPU memory caches, not browser caches. It's meant to guess secrets (e.g. crypto keys) from volatile memory by exploiting the different latency between "primed" (recently accessed) data and the rest.
This is pretty browser-independent (the Tor Browser is immune just because of the way it handles DNS requests, introducing a lot of noise).
Browser cache partitioning, instead, prevents 3rd parties site to guess navigation-related secrets cross-site by measuring the time to access resources, but it's a different story.
skriptimaahinen wrote: Sun Apr 04, 2021 8:53 am The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself.
Not at all. The attacker just needs to configure an authoritative DNS server from a domain name under his control, with a 0 TTL and never actually resolved the random subdmains generated by the attack page, in order to be reached no matter the DNS server actually configured in the browser (a similar trick is used for any DNS rebinding attack).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Post Reply