Fantastic timers and where to find them: High-resolution microarchitectural attacks in javascript

Michael Schwarz*, Clémentine Maurice, Daniel Gruss, Stefan Mangard

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


Research showed that microarchitectural attacks like cache attacks can be performed through websites using JavaScript. These timing attacks allow an adversary to spy on users secrets such as their keystrokes, leveraging fine-grained timers. However, the W3C and browser vendors responded to this significant threat by eliminating fine-grained timers from JavaScript. This renders previous high-resolution microarchitectural attacks non-applicable. We demonstrate the inefficacy of this mitigation by finding and evaluating a wide range of new sources of timing information. We develop measurement methods that exceed the resolution of official timing sources by 3 to 4 orders of magnitude on all major browsers, and even more on Tor browser. Our timing measurements do not only re-enable previous attacks to their full extent but also allow implementing new attacks. We demonstrate a new DRAM-based covert channel between a website and an unprivileged app in a virtual machine without network hardware. Our results emphasize that quick-fix mitigations can establish a dangerous false sense of security.

Original languageEnglish
Title of host publicationFinancial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers
PublisherSpringer Verlag Wien
Number of pages21
Volume10322 LNCS
ISBN (Print)9783319709710
Publication statusPublished - 1 Jan 2017
Event21st International Conference on Financial Cryptography and Data Security, FC 2017 - Sliema, Malta
Duration: 3 Apr 20177 Apr 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10322 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference21st International Conference on Financial Cryptography and Data Security, FC 2017

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this