研究人员发现一种新的侧通道攻击，可以对在线用户进行去匿名化

A group of academics from the New Jersey Institute of Technology (NJIT) has warned of a novel technique that could be used to defeat anonymity protections and identify a unique website visitor.

新泽西理工学院 (NJIT) 的一群科研人员警告说，有一种新技术可用于破坏匿名保护并识别罕见的网站访问者。

"An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website," the researchers said. "The attacker knows this target only through a public identifier, such as an email address or a Twitter handle."

研究人员说： “对网站具有完全或部分控制权的攻击者可以了解特定目标（即独特的个人）是否正在浏览该网站。” “攻击者仅仅通过公共标识符（例如电子邮件地址或 Twitter 句柄）就能知道此目标。”

The cache-based targeted de-anonymization attack is a cross-site leak that involves the adversary leveraging a service such as Google Drive, Dropbox, or YouTube to privately share a resource (e.g., image, video, or a YouTube playlist) with the target, followed by embedding the shared resource into the attack website.

跨站点泄露是一种基于缓存的、有针对性的、去匿名化攻击，需要攻击者利用 Google Drive、Dropbox 或 YouTube 等服务，与目标私下共享资源（例如图像、视频或 YouTube 播放列表），然后将共享资源嵌入攻击网站。

This can be achieved by, say, privately sharing the resource with the target using the victim's email address or the appropriate username associated with the service and then inserting the leaky resource using an <iframe> HTML tag.

可以通过使用受害者的电子邮件地址或与服务关联的用户名与目标私下共享资源，然后使用 <iframe> HTML 标签插入泄漏资源来实现。

In the next step, the attacker tricks the victim into visiting the malicious website and clicking on the aforementioned content, causing the shared resource to be loaded as a pop-under window (as opposed to a pop-up) or a browser tab — a method that's been used by advertisers to sneakily load ads.

在下一步，攻击者诱使受害者访问恶意网站并单击上述内容，弹出共享资源（而不是弹出窗口）或浏览器选项卡的形式加载 - 一个广告商用来偷偷加载广告的方法。

This exploit page, as it's rendered by the target's browser, is used to determine if the visitor can access the shared resource, successful access indicating that the visitor is indeed the intended target.

该漏洞利用页面由目标浏览器呈现，用于确定访问者是否可以访问共享资源，成功访问表明访问者确实是预期目标。

The attack, in a nutshell, aims to unmask the users of a website under the attacker's control by connecting the list of accounts tied to those individuals with their social media accounts or email addresses through a piece of shared content.

简而言之，该攻击旨在通过一段共享内容与这些个人相关联的帐户列表、社交媒体帐户或电子邮件地址联系起来，从而揭露攻击者控制下的网站用户。

In a hypothetical scenario, a bad actor could share a video hosted on Google Drive with a target's email address, and follow it up by inserting this video in the lure website. Thus when visitors land on the portal, a successful loading of the video could be used as a yardstick to infer if their victim is one among them.

在假设的情况下，攻击者可以与目标的电子邮件地址共享托管在 Google Drive 上的视频，并通过将该视频插入诱饵网站来跟进。因此，当访问者登陆门户时，视频的成功加载可以用作推断受害者是否是其中之一。

The attacks, which are practical to exploit across desktop and mobile systems with multiple CPU microarchitectures and different web browsers, are made possible by means of a cache-based side channel that's used to glean if the shared resource has been loaded and therefore distinguish between targeted and non-targeted users.

这些攻击可以通过具有多个 CPU 微架构和不同 Web 浏览器的桌面和移动系统进行实施基于缓存的侧通道攻击，该通道用于收集共享资源是否已加载，从而区分目标和非目标用户。

Put differently, the idea is to observe the subtle timing differences that arise when the shared resource is being accessed by the two sets of users, which, in turn, occurs due to differences in the time it takes to return an appropriate response from the web server depending on the user's authorization status.

换句话说，这个想法是观察两组用户访问共享资源时出现的细微时间差异，而这反过来又是由于从网络返回适当响应所需的时间不同而发生的服务器取决于用户的授权状态。

The attacks also take into account a second set of differences on the client-side that happens when the web browser renders the relevant content or error page based on the response received.

攻击还考虑了客户端上的第二组差异，即当 Web 浏览器根据收到的响应回显相关内容或错误页面时发生的差异。

"There are two main causes for differences in the observed side channel leakages between targeted and non-targeted users – a server-side timing difference and a client-side rendering difference," the researchers said.

研究人员说：“观察目标用户和非目标用户之间的侧信道泄漏差异有两个主要原因——服务器端时间差异和客户端渲染差异。”

While most popular platforms such as those from Google, Facebook, Instagram, LinkedIn, Twitter were found susceptible, one notable service that's immune to the attack is Apple iCloud.

谷歌、Facebook、Instagram、LinkedIn、Twitter 等流行的平台被发现容易受到攻击，值得注意的是苹果 iCloud未受到该类攻击。

It's worth pointing out the de-anonymization method banks on the prerequisite that the targeted user is already logged in to the service. As mitigations, the researchers have released a browser extension called Leakuidator+ that's available for Chrome, Firefox, and Tor browsers.

值得指出的是，去匿名化方法的前提是目标用户已经登录到服务。研究人员发布了一个名为 Leakuidator+ 的浏览器扩展程序，作为缓解措施，可用于Chrome、Firefox和 Tor 浏览器。

To counter the timing and rendering side channels, website owners are recommended to design web servers to return their responses in constant time, irrespective of whether the user is provisioned to access the shared resource, and make their error pages as similar as possible to the content pages to minimize the attacker-observable differences.

为了应对时间和渲染侧通道，无论用户是否被允许访问共享资源，建议网站所有者设计 Web 服务器都以固定时间返回响应，并使其错误页面尽可能与内容页面相似，令攻击者可观察到的差异最小化。

"As an example, if an authorized user was going to be shown a video, the error page for the non-targeted user should also be made to show a video," the researchers said, adding websites should also be made to require user interaction before rendering content.

“例如，如果要向授权用户显示视频，也需要使非目标用户的错误页面显示视频，”研究人员并补充说，网站还应要求用户交互发生在渲染内容之前。

"Knowing the precise identity of the person who is currently visiting a website can be the starting point for a range of nefarious targeted activities that can be executed by the operator of that website."

“了解当前网站访问者的确切身份，可能是该网站所有者可以执行的一系列恶意活动的起点。”

The findings arrive weeks after researchers from the University of Hamburg, Germany, demonstrated that mobile devices leak identifying information such as passwords and past holiday locations via Wi-Fi probe requests.

几周前，德国汉堡大学的研究人员证明，移动设备通过Wi-Fi探测请求泄露密码和曾去过的度假地点等识别信息。

In a related development, MIT researchers last month revealed the root cause behind a website fingerprinting attack as not due to signals generated by cache contention (aka a cache-based side channel) but rather due to system interrupts, while showing that interrupt-based side channels can be used to mount a powerful website fingerprinting attack.

在一项相关的研究中，麻省理工学院的研究人员上个月揭示了网站指纹攻击背后的根本原因，不是由于缓存争用（也称为基于缓存的侧通道）产生的信号，而是由于系统中断，同时表明基于中断的侧通道可以用于发起强大的网站指纹攻击。

物壮则老。——《道德经.第三十章》

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）

本文翻译自：

https://thehackernews.com/2022/07/new-cache-side-channel-attack-can-de.html

如若转载，请注明原文地址