ISeCure The ISC Int'l Journal of Information Security January 2022, Volume 14, Number 1 (pp. 27–46) http://www.isecure-journal.org A Study of Timing Side-Channel Attacks and Countermeasures on JavaScript and WebAssembly ** Mohammad Erfan Mazaheri 1 , Siavash Bayat Sarmadi 1,* , and Farhad Taheri Ardakani 1 1 Sharif University of Technology, Department of Computer Engineering, Tehran, Islamic Republic of Iran. ARTICLE I N F O. Article history: Received: December 24, 2020 Revised: May 6, 2021 Accepted: May 10, 2021 Published Online: September 6, 2021 Keywords: Timing Side-Channel Attacks, JavaScript, WebAssembly, Malicious Code Detection, Timers Type: Research Article doi: 10.22042/isecure.2021. 263565.599 dor: 20.1001.1.20082045.2022. 14.1.3.3 ABSTRACT Side-channel attacks are a group of powerful attacks in hardware security that exploit the deficiencies in the implementation of systems. Timing side-channel attacks are one of the main side-channel attack categories that use the time difference of running an operation in different states. Many powerful attacks can be classified into this type of attack, including cache attacks. The limitation of these attacks is the need to run the spy program on the victim’s system. Various studies have tried to overcome this limitation by implementing these attacks remotely on JavaScript and WebAssembly. This paper provides the first comprehensive evaluation of timing side-channel attacks on JavaScript and investigates challenges and countermeasures to overcome these attacks. Moreover, by investigating the countermeasures and their strengths and weaknesses, we introduce a detection-based approach, called Lurking Eyes. Our approach has the least reduction in the performance of JavaScript and WebAssembly. The evaluation results show that the Lurking eyes have an accuracy of 0.998, precision of 0.983, and F-measure of 0.983. Considering these values and no limitations, this method can be introduced as an effective way to counter timing side-channel attacks on JavaScript and WebAssembly. Also, we provide a new accurate timer, named Eagle timer, based on WebAssembly memory for implementing these attacks. c  2020 ISC. All rights reserved. 1 Introduction A mong the attacks on hardware security, side- channel attacks are one of the most powerful attacks. These attacks are used to exploit the defi- ciencies in the implementation of systems, regardless of their theoretical flaws. These attacks are based on leaked information from system implementation. One ∗ Corresponding author. ∗∗ This article is an extended/revised version of an ISCISC’17 paper. Email addresses: mazaheri@ce.sharif.edu, sbayat@sharif.edu, farhadtaheri@ce.sharif.edu ISSN: 2008-2045 c  2020 ISC. All rights reserved. of the most common side-channel attacks is timing side-channel attacks that use the time difference of running an operation in different states. These attacks are used to break cryptographic algorithms, read the victim’s secret information, and fault inject- ing. Cache attacks are a kind of timing side-channel attacks in which the attacker steal the victim data by CPU cache [1–3]. Although these attacks have high power in extracting the victim’s cryptographic key, there is an important limitation to them that the attacker program must run on the victim’s sys- tem. For this reason, since 2015, various studies have implemented these attacks remotely, on JavaScript and WebAssembly platforms [4, 5]. ISeCure