Researchers Unveil Browser-Based SSD Fingerprinting Technique Named FROST
A technique called FROST allows websites to monitor open tabs and running applications by measuring SSD latency through JavaScript, raising new privacy concerns for browser users.
Researchers have detailed a novel side-channel attack technique named FROST, which enables websites to spy on users by measuring subtle timing variations in solid-state drive (SSD) input-output operations. The method, described in a paper by Hannes Weissteiner and colleagues, allows attackers to infer which websites are open in other browser tabs and which applications are running on a user’s device. The research is scheduled for presentation at the DIMVA conference in July.
FROST operates exclusively within the browser environment, utilising JavaScript to interact with the Origin Private File System (OPFS). This system provides an allocated storage space reserved for a specific site, which is sandboxed to isolate it from other websites and the device system. Despite this isolation, the JavaScript code can measure the latency of I/O interactions within the OPFS. By continuously performing random reads from a large OPFS file, the attack captures SSD contention caused by user activity, resulting in measurable latency differences.
The technique relies on a pretrained convolutional neural network to classify these latency traces. According to the researchers, the system uses deep learning to analyse the timing data, allowing the attacker to deduce various apps and websites open on the device. Unlike previous contention side-channel attacks, FROST requires no interaction from the visitor other than opening the site hosting the attack. The paper notes that as web browsers evolve into complex platforms running sophisticated applications from companies like Google, Microsoft, and Adobe, the browser’s attack surface has increased, introducing new vulnerabilities.
There are specific limitations to the FROST attack. The OPFS file must be extremely large, likely exceeding one gigabyte, to facilitate the measurement of latency traces. This size requirement means that attacks at scale would inevitably be detected by many users or security software. Additionally, the OPFS file must be stored on the same SSD as the user’s activity. While this is typically the case for tracking open websites, apps using a separate SSD drive would not be detectable by this method.
The researchers demonstrated the full FROST attack on an M2 Mac. On Linux, they showed that the underlying primitive of measuring SSD access latency traces from JavaScript works, though they did not run the full attack. Hannes Weissteiner noted in an email that since the performance of the primitive is similar between macOS and Linux, they expect similar performance for the full classification. There are currently no indications that FROST attacks have been performed in the wild.
Mitigation strategies proposed by the researchers include closing tabs as soon as they are no longer needed. More technical users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers also suggested that browser makers could shut down the side channel by limiting the maximum size of such files.
