While each file system is protected, meaning it is isolated from other websites and the device’s own system, JavaScript can measure I/O interactions. Then, by running those interactions through a pre-trained program convolutional neural network—a system that uses deep learning to analyze text, audio, and images—the attacker can deduce various apps and websites open on the device.
“The attacker continuously measures SSD contention by performing random reads of a large OPFS file,” the researchers explained. “SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model.”
The technique has its limitations. First, the OPFS file must be extremely large, probably a gigabyte or more. That requirement means that many users would inevitably detect attacks at scale. Additionally, the OPFS file must be stored on the same SSD that the visitor uses. This is usually not a problem for crawling open websites, since the OPFS file is stored in the browser’s default location. In the event that applications use a separate SSD drive for applications, FROST will not be able to detect those applications.
One of the best ways to prevent FROST attacks is to close tabs as soon as they are no longer needed. More expert users can control the creation and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to close the side channel. One of these methods is to limit the maximum allowed size of said files. There is no indication that FROST attacks have been carried out in the wild.
The researchers performed the entire Frost attack on an M2 Mac. On Linux, they showed that the underlying primitive (which measures SSD access latency traces from JavaScript) works, but they didn’t run the full attack.
“However, since the performance of the primitive is similar between macOS and Linux, we expect similar performance for the full classification,” Hannes Weissteiner, one of the co-authors, wrote in an email. “In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses.”
The researchers did not test Windows.
The document linked above provides many more technical details. The research is scheduled to be presented at the DIMVA conference in July.
