Inferno: Side-channel Attacks for Mobile Web Browsers
We demonstrate power consumption as a side-channel on mobile devices. While web pages may look aesthetically similar, the web browser exercises different behaviors while rendering the underlying code. The variance between the browser’s behavior and power consumption implies that different webpages consume different amounts of power. Thus, webpages can be uniquely identified from one another by analyzing power traces collected during a page load. While power channel attacks and defenses have been analyzed for fixed function units such as secure cryptoprocessors, this side- channel has not been studied for general-purpose systems such as mobile devices. In our evaluation, we use this side-channel to reveal a mobile user’s browsing activity from the hardware level with 80% accuracy. In addition, we attempt to develop countermeasures to combat this type of attack. We use two approaches to decrease information leakage: normalizing the computational workload to make a signal indistinguishable or increasing the amount of computational noise to make a signal incomparable. To do this, we altered DVFS (Dynamic Voltage and Frequency Scaling) to alter CPU frequency. We noticed that holding CPU frequency constant improved the accuracy of our machine learning classification. Thus, we developed a CPU governor that would change the frequency randomly. This defense managed to reduce the accuracy of the attack to 26%.