Leon Trampert, Michael Schwarz

Hidden in Plain Sight: Scriptless Microarchitectural Attacks via TrueType Font Hinting

Introduction

Hidden in plain sight: scriptless microarchitectural attacks via truetype font hinting. Discover a new class of scriptless microarchitectural attacks using TrueType font hinting. This research demonstrates cache contention, user fingerprinting, and PDF page tracking, emphasizing novel security threats.

Abstract

Microarchitectural attacks threaten system security and privacy, especially if they can be mounted without native code execution. Recent research has shown that such attacks are possible from within web browsers via JavaScript and WebAssembly. Moreover, recent works have demonstrated that "scriptless" attacks, using only CSS, can be leveraged for side-channel attacks, including cache contention and user fingerprinting. In this paper, we introduce a new class of scriptless attacks that use the hinting instructions embedded within TrueType font files. We show that the hinting language is sufficiently robust to craft cache attacks, demonstrating cache-contention attacks and precise L1 Prime+Probe attacks. We demonstrate a website fingerprinting attack, as well as a method to track which page of a PDF is currently displayed. Our results demonstrate the practicality of font-based scriptless attacks in real-world scenarios. This emphasizes the need for future mitigations that go beyond traditional scripting languages.

Review

This paper introduces a significant new vector for microarchitectural attacks, expanding the landscape of "scriptless" side-channel vulnerabilities. Building upon prior work demonstrating such attacks via JavaScript/WebAssembly and CSS, "Hidden in Plain Sight" uniquely leverages the hinting instructions embedded within TrueType font files. This novel approach is particularly noteworthy as it enables sophisticated attacks without requiring native code execution or even traditional scripting languages, highlighting a previously underexplored and insidious threat surface that demands immediate attention. The authors effectively demonstrate the surprising robustness of the TrueType font hinting language, showing its sufficiency for crafting practical cache attacks. Specifically, they present successful cache-contention attacks and precise L1 Prime+Probe attacks, establishing the fundamental feasibility. Beyond these core demonstrations, the paper illustrates real-world applicability through a website fingerprinting attack and an innovative method for tracking the currently displayed page of a PDF document. These practical demonstrations underscore the tangible threat posed by font-based scriptless attacks in diverse and common scenarios. This work represents a crucial contribution to the field of system security, revealing a new and subtle mechanism by which microarchitectural information can be exfiltrated from seemingly benign components. Its primary strength lies in identifying and thoroughly demonstrating this entirely new class of attack, pushing the boundaries of what was previously considered a safe execution environment. The findings profoundly emphasize that current security models, often focused on traditional scripting languages, are insufficient. This paper issues a clear call for a re-evaluation of security paradigms, urging the development of future mitigations that account for pervasive, yet often overlooked, elements like font rendering engines to truly safeguard system privacy and integrity.

Full Text

Comments

You need to be logged in to post a comment.