Telltale SSD activity can be measured in the browser using simple JavaScript.
  • redhorsejacket@lemmy.world
    20·
    4 days ago

    Any non-dummies out there willing to dummy this down for me?

    If I’m picking up what was being put down, websites typically reserve a small amount of space on a hard drive for any given website to install scripts they need to function. This is done as a matter of course, and is largely the modern Internet working as intended (for better or worse). However, in this case, a compromised website could instruct my browser to reserve a gig or more of space to deploy or install this FROST script. This reports back to the attacker what programs are competing for resources on my computer, including my individual browser tabs and what sites those tabs contain. It can do this despite the location where browsers let websites install/run scripts being nominally sandboxed away from the rest of the drive. It does this by measuring the latency of certain I/O operations occurring on the drive, and feeding that information through some sort of neural network.

    Assuming that is generally correct from a layman’s POV, how exactly is that latency information sufficient to determine what programs or websites I have open? Wouldn’t different models of SSD (or even different SSDs of the same type) have minor variations in performance which would make this impossible? Hell, how does the script even know that it is installed on an SSD and not an HDD?

    Not saying it untrue, because obviously the folks that discovered this know a touch more about computers than me, but, if this explanation were trotted out in a thriller movie (“well, President Ryan, we know the location of the terrorists’ hideout because we were able to measure the latency of their hard drive, which revealed they were placing an Amazon order in the other tab”), I’d chalk it up to techno-babble nonsense.

    • WhyJiffie@sh.itjust.worksEnglish
      4·
      3 days ago

      not only that, but I remember Firefox (maybe chrome too) announcing a few years ago they have made scripted timers less accurate. I think that was a mitigation against websites attempting a spectre/meltdown attack. how is it that this new attack is not affected by the inaccurate timers?

      • FineCoatMummy@sh.itjust.worksEnglish
        1·
        1 day ago

        IDK either. Just guessing here. I’m seeing claims that FF timer precision limiter only happens if you have privacy.resistFingerprinting enabled. Which I try to. But it breaks a shitton of anti-bot access gates and makes them them think I’m a bot, since I’m harder to fingerprint. So I guess many ppl leave resistFingerprinting disabled. Which might let this technique work in full force.

        But it sounds like it has to allocate a very large amt of storage. Like 1GB. And then constantly read from that, to make the fingerprint. That’s something many ppl would notice. The authors do say there are no known examples of this in the wild. So there’s that.