{"id":2277,"date":"2018-01-03T16:23:41","date_gmt":"2018-01-04T00:23:41","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2277"},"modified":"2018-03-22T11:08:08","modified_gmt":"2018-03-22T18:08:08","slug":"mitigations-landing-new-class-timing-attack","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/","title":{"rendered":"Mitigations landing for new class of timing attack"},"content":{"rendered":"<p>Several recently-published <a href=\"https:\/\/spectreattack.com\/spectre.pdf\">research<\/a> <a href=\"https:\/\/googleprojectzero.blogspot.com\/2018\/01\/reading-privileged-memory-with-side.html\">articles<\/a> have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. \u00a0Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. \u00a0The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. \u00a0Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. \u00a0This includes both explicit sources, like <code>performance.now()<\/code>, and implicit sources that allow building high-resolution timers, viz., <code>SharedArrayBuffer<\/code>.<\/p>\n<p>Specifically, in all release channels, starting with 57:<\/p>\n<ul>\n<li>The resolution of <code>performance.now()<\/code> will be reduced to 20\u00b5s. (UPDATE: see the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Performance\/now\">MDN documentation for performance.now<\/a> for up-to-date precision information.) <\/li>\n<li>The <code>SharedArrayBuffer<\/code> feature is being disabled by default.<\/li>\n<\/ul>\n<p>Furthermore, other <a href=\"https:\/\/gruss.cc\/files\/fantastictimers.pdf\">timing sources and time-fuzzing techniques<\/a> are being worked on.<\/p>\n<p>In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. \u00a0This project requires time to understand, implement and test, but might allow us to consider reenabling <code>SharedArrayBuffer<\/code> and the other high-resolution timers as these features provide important capabilities to the Web platform.<\/p>\n<p><strong>Update [January 4, 2018]:<\/strong> We have released the <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2018-01\/\">two timing-related mitigations<\/a> described above with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated &#8220;2018-01-04&#8221; and later. Firefox 52 ESR does not support <code>SharedArrayBuffer<\/code> and is less at risk; the <code>performance.now()<\/code> mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. \u00a0Our internal experiments confirm that it is possible to use &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/\">Read more<\/a><\/p>\n","protected":false},"author":257,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[264753],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mitigations landing for new class of timing attack - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Luke Wagner\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/\",\"name\":\"Mitigations landing for new class of timing attack - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2018-01-04T00:23:41+00:00\",\"dateModified\":\"2018-03-22T18:08:08+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f44146d853f71fd1e875e7c789b75750\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mitigations landing for new class of timing attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f44146d853f71fd1e875e7c789b75750\",\"name\":\"Luke Wagner\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/3b5dd5c2c561b36fc89846969438f5ad\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2272c1032086281f75e9ab1ee43e42a4?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2272c1032086281f75e9ab1ee43e42a4?s=96&d=identicon&r=g\",\"caption\":\"Luke Wagner\"},\"description\":\"Luke Wagner is a Mozilla software engineer and hacks on JavaScript and WebAssembly in Firefox.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mitigations landing for new class of timing attack - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/","twitter_misc":{"Written by":"Luke Wagner","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/","name":"Mitigations landing for new class of timing attack - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2018-01-04T00:23:41+00:00","dateModified":"2018-03-22T18:08:08+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f44146d853f71fd1e875e7c789b75750"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/01\/03\/mitigations-landing-new-class-timing-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Mitigations landing for new class of timing attack"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f44146d853f71fd1e875e7c789b75750","name":"Luke Wagner","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/3b5dd5c2c561b36fc89846969438f5ad","url":"https:\/\/secure.gravatar.com\/avatar\/2272c1032086281f75e9ab1ee43e42a4?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2272c1032086281f75e9ab1ee43e42a4?s=96&d=identicon&r=g","caption":"Luke Wagner"},"description":"Luke Wagner is a Mozilla software engineer and hacks on JavaScript and WebAssembly in Firefox."}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2277"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/257"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2277"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2277\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2277"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}