A new Chrome extension was released on GitHub, by some academics which allows to protect your Chrome or Chrome based Browser against JavaScript code to avoid a data leakage from a computer’s RAM or CPU.

[caption id=”attachment_3905” align=”aligncenter” width=”1034”]ChromeZero ChromeZero Settings.[/caption]

Overview

The extension isn’t available right now in the official Chrome Web Store you have to manually download and install it as time of writing this article. This might gets changed in the near future to simplify the installation process. ChromeZero can protect you against JavaScript based side-channel attacks like, one popular example is Rowhammer. The minimum requirement for this extension is Chrome v49, porting the extension to Firefox is might be possible in later versions.

The developers of the extension say that currently there are eleven state-of-the-art side-channel attacks that can be performed via JavaScript code running in a browser (see picture below).

[caption id=”attachment_3906” align=”aligncenter” width=”850”]JS-zero-attacks-table 11 attack vectors which abuse different kind of things like Sensor API, Memory addresses and more. Picture Source: GitHub ChromeZero project[/caption]

The research shows that each of those attacks needs access to various local details for which it uses JavaScript code to leak or recover and gather the needed information before mounting the actual side-channel attack like Rowhammer, Loophole & Co.

Extension Installation

As mentioned the extension didn’t made it into the official Chrome Web Store (yet), users can install it by downloading the extension’s source code from GitHub which requires you going to Chrome’s extensions management page (alias chrome://extensions). You then must enabling “Developer Mode,” in order to install external extension, clicking on the “Load Unpacked” button and then selecting the folder “/chromezero” from inside the extension’s source code will load the extension, don’t delete the folder because it’s needed to load the extension each time you start or restart your Browser, so keep it on a place were it doesn’t bother you.

Using ChromeZero

Fife smilies representing how strong the extension restricts certain attack sectors. The performance impact is minimal on this process, the developers saying it requires 1,54% of the overall Browser resources and has a minimal impact of Browser page loading latency (depending on several variables) from approximately 0.01064s up to 0.08908s.

The academics who originally created Chrome Zero are also the ones behind the JavaScript-version of the Rowhammer attack, which means those guys know what there talking about and have also contributed in the past to the discovery of the Meltdown and Spectre vulnerabilities.

Requirement Off Low Medium High Tin Foil Hat
Memory addresses - Buffer ASLR Array preloading Non-deterministic array Array index randomization
Accurate Timing - Ask Low-resolution timestamp Fuzzy time Disable
Multithreading - - Message delay WebWorker polyfill Disable
Shared data - - Slow SharedArrayBuffer Disable Disable
Sensor API - - Ask Fixed value Disable

Closing Words

I think once the extension made it’s way into the Chrome Web Store it might have a bigger change to get noticed and reviewed. The settings are strange and not really what I expected from security experts but I totally get the point that they just wanted to provide an interface which can be understood by everyone - even beginners. Hopefully we see some more documentation about what each of the options exactly toggle on the official page soon.

I tried the extension and it worked on the maximum settings without any problem on the normal Chrome (66) and Chromium (67) versions, let’s hope that this might native gets integrated into future Browser versions so that you can easily control this via some Browser flags instead of an separate extensions ultimately I expect that all of the listed attack sectors soon or later gets closed without that any workarounds or extensions are required which would be the best solution for everyone.

Other extensions can only request JavaScript based API’s, so currently you have to use this extension in order to stay protected against the 11 shows attacks.

Please keep in mind that the addon is still in an earlier stage as for now and you might report bugs directly in the bug-tracker.

Source