Researchers Demonstrate Browser SSD Timing Side-Channel That Identifies Running Applications

A research paper describes a technique called FROST that uses JavaScript running in a web browser to monitor other websites and applications open on a visitor's device by measuring SSD timing differences. The method exploits contention on the visitor's solid-state drive without requiring any interaction beyond loading the attacking page.

FROST creates a large file in the origin private file system and performs continuous random reads while recording latency variations caused by other processes accessing the same SSD.

These latency traces are then classified by a pretrained convolutional neural network to identify specific websites or applications. The OPFS file must be at least one gigabyte and stored on the same SSD used by the visitor. Applications running on a separate drive cannot be detected.

Researchers completed the full attack on an M2 Mac and showed the underlying timing measurements work on Linux, though they did not run the complete classification pipeline on that platform. Hannes Weissteiner, one of the paper's coauthors, wrote that the performance of the timing primitive is similar between macOS and Linux and that a model could be trained on any system activity that reliably generates SSD accesses.

The researchers did not test the technique on Windows.

The paper notes that modern browsers now run full office suites, photo editors, and integrated development environments developed by Google, Microsoft, and Adobe. The authors stated that these capabilities increase the browser's attack surface and have already introduced new vulnerabilities.

The researchers proposed that browser makers could limit the maximum size of OPFS files to close the side channel.

They also noted that closing tabs promptly and monitoring OPFS file creation offer practical defenses for users. No indications exist that FROST attacks have been carried out in the wild. The work is scheduled for presentation at the DIMVA conference in July.