Contention-Based Side Channels Enable Faster and Stealthier Browsing History Sniffing

Web browsers are implicitly trusted to handle a large amount of private user information. One such piece of private information, a user's browsing history, is maintained by browsers and is used to provide a popular usability feature: Web links are rendered using different styles depending on whether the URLs they point to have been visited or not. Unfortunately, this feature can be abused by malicious webpages in order to extract users' browsing history. We present new browsing history sniffing attacks through two contention-based side channels which are new in this context: Last-level CPU cache contention, and GPU execution unit contention. The attacks are robust and can be executed successfully against the popular Chrome browser. Compared to prior work which uses the rendering performance as a side channel, our work achieves an attack rate increase of up to 30x. The new attacks are stealthier, because the side channels we use do not slow down the browser's rendering rate. In addition, we revisit the existing sniffing attacks based on the rendering performance side channel, and show how their attack rate can also be increased by a significant amount. Finally, we discuss the root cause of history sniffing attacks and point out solutions.