Modern web browsers are ubiquitously used bybillions of users, connecting them to the world wide web. From theother side, web browsers do not only provide a unified interfacefor businesses to reach customers, but they also provide a unifiedinterface for malicious actors to reach users. The highly optimizedscripting language JavaScript plays an important role in themodern web, as well as for browser-based attacks. These attacksinclude microarchitectural attacks, which exploit the design ofthe underlying hardware. In contrast to software bugs, there isoften no easy fix for microarchitectural attacks.We propose JavaScript Zero, a highly practical and genericfine-grained permission model in JavaScript to reduce the attacksurface in modern browsers. JavaScript Zero facilitates advancedfeatures of the JavaScript language to dynamically deflect usageof dangerous JavaScript features. To implement JavaScript Zero inpractice, we overcame a series of challenges to protect potentiallydangerous features, guarantee the completeness of our solution,and provide full compatibility with all websites. We demonstratethat our proof-of-concept browser extension Chrome Zero protectsagainst 11 unfixed state-of-the-art microarchitectural and side-channel attacks. As a side effect, Chrome Zero also protectsagainst 50 % of the published JavaScript 0-day exploits sinceChrome 49. Chrome Zero has a performance overhead of 1.82%on average. In a user study, we found that for 24 websites inthe Alexa Top 25, users could not distinguish browsers with andwithout Chrome Zero correctly, showing that Chrome Zero hasno perceivable effect on most websites. Hence, JavaScript Zero isa practical solution to mitigate JavaScript-based state-of-the-artmicroarchitectural and side-channel attacks
Network and Distributed System Security Symposium (NDSS)
2018-01-01
2026-06-08