I tried to read about this "CSS PP0" but couldn't get my head around the information in that link or their website. Could someone please explain at my level what is "CSS PP0"? Thanks.https://noscript.net/getit#devel wrote:v 11.2.4rc1
============================================================
x CSS resources prefetching as a mitigation against CSS PP0
(https://github.com/Yossioren/pp0)
Simple explanation of what is "CSS PP0"?
Simple explanation of what is "CSS PP0"?
*Always* check the changelogs BEFORE updating that important software!
			                        -
						- Giorgio Maone
- Site Admin
- Posts: 9528
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Simple explanation of what is "CSS PP0"?
Probably my fault, since in the changelog I've referenced the code repository containing the proof of concept artifacts, rather than the main page containing the abstract and the actual paper, which is quite an enjoyable read.
What we're talking about is a cache-timing side channel attack, i.e. part of a class of attacks aimed at stealing "secrets" (such as cryptographic keys or passwords) memory by exploiting caches at any level (from the CPU architecture up to the application and the network layer).
Famous examples are Spectre and Meltdown, which can be exploited using JavaScript as demonstrated here.
Yossi Oren and his team here demonstrate how to mount an attack in the same class (in this specific case aimed at leaking the pages open in the other tabs of the same browser) abusing less and less of the JavaScript features which are thought to be required (e.g. various kind of timers and pseudo-timers) and culminating with the scriptless, entirely CSS-based, Prime+Probe attack which, as such, evades even NoScript: not in the Tor Browser, because of DNS noise introduced by the Tor network, and hopefully not from 11.2.4 on
			
			
									
						
										                        What we're talking about is a cache-timing side channel attack, i.e. part of a class of attacks aimed at stealing "secrets" (such as cryptographic keys or passwords) memory by exploiting caches at any level (from the CPU architecture up to the application and the network layer).
Famous examples are Spectre and Meltdown, which can be exploited using JavaScript as demonstrated here.
Yossi Oren and his team here demonstrate how to mount an attack in the same class (in this specific case aimed at leaking the pages open in the other tabs of the same browser) abusing less and less of the JavaScript features which are thought to be required (e.g. various kind of timers and pseudo-timers) and culminating with the scriptless, entirely CSS-based, Prime+Probe attack which, as such, evades even NoScript: not in the Tor Browser, because of DNS noise introduced by the Tor network, and hopefully not from 11.2.4 on

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
						Re: Simple explanation of what is "CSS PP0"?
Thanks Giorgio for explaining the security consequences of this exploit.  I did try to read that main page and the paper before posting, but still can't get my head around it and how it works   
 
Looking at the NoScript code, I played around with a simple <link rel="stylesheet"> on my local server, and noticed couple things -
1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -
Does it matter?
2) In the prefetchCSSResources.js file -
Is "fals" intended to be "false"?
			
			
									
						
							 
 Looking at the NoScript code, I played around with a simple <link rel="stylesheet"> on my local server, and noticed couple things -
1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -
Code: Select all
SecurityError: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet prefetchCSSResources.js:522) In the prefetchCSSResources.js file -
Code: Select all
function prefetchCSSResources(only3rdParty = fals, ruleCallback = null) {*Always* check the changelogs BEFORE updating that important software!
			                        -
						- Giorgio Maone
- Site Admin
- Posts: 9528
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Simple explanation of what is "CSS PP0"?
This might matter, and I'm working on a way to fix it.barbaz wrote: ↑Sun Mar 14, 2021 5:50 pm 1) For cross-origin stylesheets, and stylesheets blocked by uBlock Origin, I get this error -Does it matter?Code: Select all
SecurityError: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet prefetchCSSResources.js:52
Yes, it is, and it's already fixed in NSCL, but this actually does not matter for NoScript, which passes that argument explicitly.barbaz wrote: ↑Sun Mar 14, 2021 5:50 pm 2) In the prefetchCSSResources.js file -Is "fals" intended to be "false"?Code: Select all
function prefetchCSSResources(only3rdParty = fals, ruleCallback = null) {
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
						- 
				skriptimaahinen
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Re: Simple explanation of what is "CSS PP0"?
Two things that came in to mind when skimming through the white paper:
The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?
The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself. The paper seems to only mention extracting info about the sites the victim has visited. Assuming that the attacker is already logging your DNS queries for all the sites you visit, can the cache probing reveal much anything else?
			
			
									
						
										                        The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?
The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself. The paper seems to only mention extracting info about the sites the victim has visited. Assuming that the attacker is already logging your DNS queries for all the sites you visit, can the cache probing reveal much anything else?
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
						- Giorgio Maone
- Site Admin
- Posts: 9528
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Simple explanation of what is "CSS PP0"?
The whole class of attacks is aimed at CPU memory caches, not browser caches. It's meant to guess secrets (e.g. crypto keys) from volatile memory by exploiting the different latency between "primed" (recently accessed) data and the rest.skriptimaahinen wrote: ↑Sun Apr 04, 2021 8:53 am The paper does not seem to mention what FireFox version they used, if any at all besides DeterFox and TorBrowser. Since FF85, FireFox has been doing cache partitioning, that supposedly prevents timing attacks on caches among other things. Is the PP0 attack still valid for FireFox?
This is pretty browser-independent (the Tor Browser is immune just because of the way it handles DNS requests, introducing a lot of noise).
Browser cache partitioning, instead, prevents 3rd parties site to guess navigation-related secrets cross-site by measuring the time to access resources, but it's a different story.
Not at all. The attacker just needs to configure an authoritative DNS server from a domain name under his control, with a 0 TTL and never actually resolved the random subdmains generated by the attack page, in order to be reached no matter the DNS server actually configured in the browser (a similar trick is used for any DNS rebinding attack).skriptimaahinen wrote: ↑Sun Apr 04, 2021 8:53 am The requirement for the CSS PP0 appears to be attacker controlled DNS server, which is pretty tall order in itself.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
						