Chrome Zero: A team of academics managed to create a Chrome extension that can block side-channel attacks that use JavaScript code to leak data from a computer's RAM or CPU.
The name of the extension is Chrome Zero and is currently only available in GitHub and not through the official Chrome Web Store.
Researchers have created the extension to rewrite and protect the features, properties, and JavaScript objects most commonly used by any malicious JavaScript code to leak data from the CPU or RAM.
Resolution
Experts report that there are currently eleven state-of-the-art side-channel attacks that can be executed through JavaScript executed in a browser.
Each attack needs access to various local details, and uses JavaScript to leak, recover and gather the necessary information before it starts with the actual attack from a side-channel.
After examining each of these, the researchers were able to identify five main categories of data/attributes that side-channel JavaScript attacks attempt to exploit: memory addresses retrieved from JS, precise timing information (time difference), web workers, data shared between JS code and data from device sensors.
How Extension works
The Chrome Zero extension essentially violates the JavaScript code that is going to run through Chrome to rewrite some JavaScript features, attributes and objects by eliminating the negative effects of a side-channel attack.
Experts said that despite the intrusive behavior of the extension, testing showed little impact on browser performance by using only 1,54% of resources and causing a delay in loading the page ranging from 0,01064 to 0,08908 seconds depending on the number of policies applicable at the time of execution.
In addition, as a result of the protection measures of the expansion, the research team reports that Chrome Zero would be able to block the 50% of the Zero Day of Chrome that was detected from the Chrome 49 release onwards.
How to Install the Extension
As mentioned, the extension is not yet available through the Chrome Web Store. But you can easily install it:
Download the extension and from the Chrome Extensions Manager page (chrome: // extensions), by clicking on "Load Unpacked", select the "chromezero" folder from the extension source code.
More information is available in a paper entitled "JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks," presented end of February at the NDSS Symposium held in San Diego, California. The paper is available online from here and hereWhile video of the NDSS presentation is below:
- Password Alert Additional protection from Google
- Publish tweets from the Chrome address bar
- Google Chrome: HTTP pages are unsafe in July
