Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers
From HackerOne:
Summary:
We develop Hacky Racers, a new type of timing gadget that uses instruction-level parallelism, another key feature of out-of-order execution, to measure arbitrary fine-grained timing differences, even in the presence of highly restricted JavaScript sandbox environments. While Tor browser mitigates timing side channels by reducing timer precision and removing language features such as SharedArrayBuffer that can be used to indirectly generate timers via thread-level parallelism, no such restrictions can be designed to limit Hacky Racers. We also design versions of Hacky Racers that require no misspeculation whatsoever, demonstrating that transient execution is not the only threat to security from modern microarchitectural performance optimization. Finally, we use Hacky Racers to construct novel backwards-in-time Spectre gadgets, which break many hardware counter-measures in the literature by leaking secrets before misspeculation is discovered.
Steps To Reproduce:
please refer to the attached paper
Impact
Fine-grained timers would be so easy to generate so that the mitigation provided by removing sharedarraybuffer becomes totally meaningless.
Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1782238
Hacky_Racers__Exploiting_Instruction-Level_Parallelism_to_Generate_Stealthy_Fine-Grained_Timers.pdf