UNIVERSITY OF CALIFORNIA, SAN DIEGO Beneath the Attack Surface A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science by Keaton Mowery Committee in charge: Professor Hovav Shacham, Chair Professor Sorin Lerner Professor George Papen Professor Stefan Savage Professor Geoffrey M. Voelker 2015 Copyright Keaton Mowery, 2015 All rights reserved. The Dissertation of Keaton Mowery is approved and is acceptable in quality and form for publication on microfilm and electronically: Chair University of California, San Diego 2015 iii EPIGRAPH “Time forks perpetually toward innumerable futures. In one of them I am your enemy.” —JORGE LUIS BORGES (1941) Marco Polo imagined answering (or Kublai Khan imagined his answer) that the more one was lost in unfamiliar quarters of distant cities, the more one understood the other cities he had crossed to arrive there —ITALO CALVINO (1972) iv TABLE OF CONTENTS Signature Page . iii Epigraph . ........... iv Table of Contents . v List of Figures . viii List of Tables . xi Acknowledgements . xii Vita................................................. xiv Abstract of the Dissertation . xvi Introduction . 1 Chapter 1 Fingerprinting Information in JavaScript Implementations . 3 1.1 Introduction . 4 1.2 JavaScript Performance Fingerprinting . 8 1.2.1 Methodology . 8 1.2.2 Data Collection . 10 1.2.3 Results . 13 1.2.4 JavaScript Test Selection . 21 1.3 NoScript Whitelist Fingerprinting . 22 1.3.1 Attack Methodology . 23 1.3.2 Prevalence of Testable JavaScript . 26 1.3.3 Fingerprinting Speed . 28 1.4 Conclusions . 32 Chapter 2 Pixel Perfect: Fingerprinting Canvas in HTML5 . 34 2.1 Introduction . 34 2.2 HTML5 and CSS3 . 39 2.2.1 HTML5 Canvas . 39 2.2.2 WebFonts . 41 2.2.3 WebGL . 41 2.2.4 Security Implications . 42 2.3 Experiments . 43 2.3.1 Tests . 43 2.3.2 Infrastructure . 46 2.3.3 Data Collection . 47 v 2.4 Results . 50 2.4.1 Arial Font Rendering . 50 2.4.2 WebFont Rendering . 55 2.4.3 WebGL . 58 2.4.4 Comprehensive Fingerprinting . 62 2.5 Defenses . 63 2.6 Conclusions . 64 2.7 Data Characterization . 66 Chapter 3 Are AES x86 Cache Timing Attacks Still Feasible? . 70 3.1 Introduction . 70 3.2 Complete Mitigation . 72 3.2.1 AES-NI . 73 3.2.2 Multicore Processors . 74 3.3 Attack Outline . 75 3.4 Modern Software Engineering . 78 3.4.1 Chromium Architecture . 78 3.4.2 Measurements . 79 3.5 Prefetching . 80 3.6 Cache Indexing . 83 3.6.1 Attack Complexity . 85 3.7 Conclusions . 86 Chapter 4 Welcome to the Entropics: Boot-Time Entropy in Embedded Devices 88 4.1 Introduction . 88 4.1.1 Related Work . 91 4.2 Early Kernel Entropy . 93 4.2.1 Genesis . 94 4.2.2 Methodology . 95 4.2.3 Results and Analysis . 97 4.3 Architectural Causes of Timing Variation . 115 4.3.1 Clock domain crossing . 116 4.3.2 DRAM Access Latency . 118 4.4 DRAM Decay . 120 4.4.1 Disabling Refresh . 122 4.4.2 Decay . 122 4.4.3 Experimental Setup . 122 4.4.4 Results . 123 4.4.5 Extracting per-boot randomness from DRAM . 126 4.5 PLL Lock Latency . 127 4.6 Conclusions . 128 Chapter 5 Security Analysis of a Full-Body Scanner . 132 vi 5.1 Introduction . 133 5.2 The Rapiscan Secure 1000 . 137 5.2.1 Backscatter Imaging. 138 5.2.2 Subsystems . 140 5.3 Contraband Detection . ..