Tick Tock: Building Browser Red Pills from Timing Side Channels
Authors: G. Ho, D. Boneh, L. Ballard, and N. Provost
Abstract:
Red pills allow programs to detect if their execution environment is a
CPU emulator or a virtual machine. They are used by digital rights
management systems and by malware authors. In this paper we study the
possibility of browser-based red pills, namely red pills implemented
as Javascript that runs in the browser and attempts to detect if the
browser is running inside a virtual machine. These browser red pills
can limit the effectiveness of Web malware scanners: scanners that
detect drive-by downloads by crawling the Web using a browser in an
emulated environment. We present multiple browser red pills that are
robust across browser platforms and emulation technology. We also
discuss potential mitigations that Web scanners can use to thwart some
of these red pills.
Reference:
To appear at Usenix WOOT 2014
Full paper: pdf