Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome

Sioli O'Connell; Lishay Aben Sour; Ron Magen; Daniel Genkin; Yossi Oren; Hovav Shacham; Yuval Yarom

Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome

Sioli O'Connell
, Lishay Aben Sour
, Ron Magen
, Daniel Genkin
, Yossi Oren
, Hovav Shacham
, Yuval Yarom

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Web privacy is challenged by pixel-stealing attacks, which allow attackers to extract content from embedded iframes and to detect visited links. To protect against multiple pixel-stealing attacks that exploited timing variations in SVG filters, browser vendors repeatedly adapted their implementations to eliminate timing variations. In this work we demonstrate that past efforts are still not sufficient. We show how web-based attackers can mount cache-based side-channel attacks to monitor data-dependent memory accesses in filter rendering functions. We identify conditions under which browsers elect the non-default CPU implementation of SVG filters, and develop techniques for achieving access to the high-resolution timers required for cache attacks. We then develop efficient techniques to use the pixel-stealing attack for text recovery from embedded pages and to achieve high-speed history sniffing. To the best of our knowledge, our attack is the first to leak multiple bits per screen refresh, achieving an overall rate of 267 bits per second.

Original language	English
Title of host publication	Proceedings of the 33rd USENIX Security Symposium
Publisher	USENIX Association
Pages	3331-3348
Number of pages	18
ISBN (Electronic)	9781939133441
State	Published - 1 Jan 2024
Event	33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: 14 Aug 2024 → 16 Aug 2024

Publication series

Name	Proceedings of the 33rd USENIX Security Symposium

Conference

Conference	33rd USENIX Security Symposium, USENIX Security 2024
Country/Territory	United States
City	Philadelphia
Period	14/08/24 → 16/08/24

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{9644c63b415447d0b19f22c8c059d1b7,

title = "Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome",

abstract = "Web privacy is challenged by pixel-stealing attacks, which allow attackers to extract content from embedded iframes and to detect visited links. To protect against multiple pixel-stealing attacks that exploited timing variations in SVG filters, browser vendors repeatedly adapted their implementations to eliminate timing variations. In this work we demonstrate that past efforts are still not sufficient. We show how web-based attackers can mount cache-based side-channel attacks to monitor data-dependent memory accesses in filter rendering functions. We identify conditions under which browsers elect the non-default CPU implementation of SVG filters, and develop techniques for achieving access to the high-resolution timers required for cache attacks. We then develop efficient techniques to use the pixel-stealing attack for text recovery from embedded pages and to achieve high-speed history sniffing. To the best of our knowledge, our attack is the first to leak multiple bits per screen refresh, achieving an overall rate of 267 bits per second.",

author = "Sioli O'Connell and Sour, \{Lishay Aben\} and Ron Magen and Daniel Genkin and Yossi Oren and Hovav Shacham and Yuval Yarom",

note = "Publisher Copyright: {\textcopyright} USENIX Security Symposium 2024.All rights reserved.; 33rd USENIX Security Symposium, USENIX Security 2024 ; Conference date: 14-08-2024 Through 16-08-2024",

year = "2024",

month = jan,

day = "1",

language = "English",

series = "Proceedings of the 33rd USENIX Security Symposium",

publisher = "USENIX Association",

pages = "3331--3348",

booktitle = "Proceedings of the 33rd USENIX Security Symposium",

}

O'Connell, S, Sour, LA, Magen, R, Genkin, D, Oren, Y, Shacham, H & Yarom, Y 2024, Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome. in Proceedings of the 33rd USENIX Security Symposium. Proceedings of the 33rd USENIX Security Symposium, USENIX Association, pp. 3331-3348, 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, United States, 14/08/24.

Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome. / O'Connell, Sioli; Sour, Lishay Aben; Magen, Ron et al.
Proceedings of the 33rd USENIX Security Symposium. USENIX Association, 2024. p. 3331-3348 (Proceedings of the 33rd USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Pixel Thief

T2 - 33rd USENIX Security Symposium, USENIX Security 2024

AU - O'Connell, Sioli

AU - Sour, Lishay Aben

AU - Magen, Ron

AU - Genkin, Daniel

AU - Oren, Yossi

AU - Shacham, Hovav

AU - Yarom, Yuval

PY - 2024/1/1

Y1 - 2024/1/1

N2 - Web privacy is challenged by pixel-stealing attacks, which allow attackers to extract content from embedded iframes and to detect visited links. To protect against multiple pixel-stealing attacks that exploited timing variations in SVG filters, browser vendors repeatedly adapted their implementations to eliminate timing variations. In this work we demonstrate that past efforts are still not sufficient. We show how web-based attackers can mount cache-based side-channel attacks to monitor data-dependent memory accesses in filter rendering functions. We identify conditions under which browsers elect the non-default CPU implementation of SVG filters, and develop techniques for achieving access to the high-resolution timers required for cache attacks. We then develop efficient techniques to use the pixel-stealing attack for text recovery from embedded pages and to achieve high-speed history sniffing. To the best of our knowledge, our attack is the first to leak multiple bits per screen refresh, achieving an overall rate of 267 bits per second.

AB - Web privacy is challenged by pixel-stealing attacks, which allow attackers to extract content from embedded iframes and to detect visited links. To protect against multiple pixel-stealing attacks that exploited timing variations in SVG filters, browser vendors repeatedly adapted their implementations to eliminate timing variations. In this work we demonstrate that past efforts are still not sufficient. We show how web-based attackers can mount cache-based side-channel attacks to monitor data-dependent memory accesses in filter rendering functions. We identify conditions under which browsers elect the non-default CPU implementation of SVG filters, and develop techniques for achieving access to the high-resolution timers required for cache attacks. We then develop efficient techniques to use the pixel-stealing attack for text recovery from embedded pages and to achieve high-speed history sniffing. To the best of our knowledge, our attack is the first to leak multiple bits per screen refresh, achieving an overall rate of 267 bits per second.

UR - https://www.scopus.com/pages/publications/85204942724

M3 - Conference contribution

T3 - Proceedings of the 33rd USENIX Security Symposium

SP - 3331

EP - 3348

BT - Proceedings of the 33rd USENIX Security Symposium

PB - USENIX Association

Y2 - 14 August 2024 through 16 August 2024

ER -

Pixel Thief: Exploiting SVG Filter Leakage in Firefox and Chrome

Abstract

Publication series

Conference

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this