Loophole: Timing Attacks on Shared Event Loops in Chrome
This exposes a security vulnerability in Chrome's event-driven architecture, posing risks to user privacy and system integrity, though it is incremental as it builds on known side-channel attack principles.
The paper demonstrates that shared event loops in Chrome are vulnerable to timing side-channel attacks, allowing spy processes to monitor usage patterns with high resolution and low overhead, which can be abused for web page identification, user behavior detection, and covert communication.
Event-driven programming (EDP) is the prevalent paradigm for graphical user interfaces, web clients, and it is rapidly gaining importance for server-side and network programming. Central components of EDP are {\em event loops}, which act as FIFO queues that are used by processes to store and dispatch messages received from other processes. In this paper we demonstrate that shared event loops are vulnerable to side-channel attacks, where a spy process monitors the loop usage pattern of other processes by enqueueing events and measuring the time it takes for them to be dispatched. Specifically, we exhibit attacks against the two central event loops in Google's Chrome web browser: that of the I/O thread of the host process, which multiplexes all network events and user actions, and that of the main thread of the renderer processes, which handles rendering and Javascript tasks. For each of these loops, we show how the usage pattern can be monitored with high resolution and low overhead, and how this can be abused for malicious purposes, such as web page identification, user behavior detection, and covert communication.