Chrome Zero: A team of academics has managed to create a Chrome extension that can prevent side-channel attacks that use JavaScript code to leak data from a computer's RAM or CPU.
The name of the extension is Chrome Zero and is currently only available in GitHub and not through the official Chrome Web Store.
Researchers have created the extension to rewrite and protect the features, properties, and JavaScript objects most commonly used by any malicious JavaScript code to leak data from the CPU or RAM.
Resolution
Experts report that there are currently eleven state-of-the-art side-channel attacks that can be executed via JavaScript code running on a Browser.
Each attack needs access to various local details, and uses JavaScript to leak, recover and gather the necessary information before it starts with the actual attack from a side-channel.
After examining each of them, researchers have identified five main categories of data / features that are being exploited by side-channel JavaScript attacks: memory addresses retrieved by JS, exact timing information, web workers, data that shared between the JS code and data from the device sensors.
How Extension works
The Chrome Zero extension essentially violates the JavaScript code that is going to run through Chrome to rewrite some JavaScript features, attributes and objects by eliminating the negative effects of a side-channel attack.
The experts stated that despite the intrusive behavior of the extension, the tests showed minimal impact on the performance of the browser since it uses only 1,54% of the resources and causes a delay on page load ranging from 0,01064 to 0,08908 seconds, depending on the number of protection policies in effect at runtime.
In addition, as a result of the protection measures of the expansion, the research team reports that Chrome Zero would be able to block the 50% of the Zero Day of Chrome that was detected from the Chrome 49 release onwards.
How to Install the Extension
As mentioned, the extension is not yet available through the Chrome Web Store. But you can easily install it:
Download the extension και από την σελίδα διαχείρισης επεκτάσεων του Chrome (chrome://extensions), κάνοντας κλικ στο "Load Unpacked", επιλέξτε το φάκελο "chromezero" μέσα από τον πηγαίο κώδικα της επέκτασης.
Περισσότερες πληροφορίες είναι διαθέσιμες σε ένα paper με τίτλο "JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks," presented end of February at the NDSS Symposium held in San Diego California. Το paper είναι διαθέσιμο online from here and here, while her video presentations in the NDSS is below:
- Password Alert Additional protection from Google
- Publish tweets from the Chrome address bar
- Google Chrome: HTTP pages are unsafe in July