In this talk I highlight timing attacks that leverage abstraction failures, as well as defenses against timing attacks in general. We demonstrate same-origin-policy defeating timing attacks across all major desktop browsers using details of floating-point computation in commodity hardware. Additionally, we discuss a number of failed or impractical defensive attempts.
With these attacks and defensive misfires in mind, we propose adapting relevant solutions from trusted multi-level operating systems projects of the late 80s and early 90s. We present a vision for a browser design to mitigate timing attacks, Fermata, as well as a deployable prototype, Fuzzyfox. Some of the concepts outlined for Fermata are now deployed in major browsers with more to come.
David is a PhD candidate in Computer Science at UC San Diego working with Hovav Shacham and defending this year. His research interests focus on the collision between security theory and hardware abstractions. Previously, David received his B.S. in Computer Science from Carnegie Mellon University in 2011 and co-founded the San Diego-based security company Somerset Recon in 2012.