FROST: Fingerprinting Remotely using OPFS-based SSD Timing.
Abstract
Prior work showed that variations in SSD access time can be used to leak information about user activity, e.g., the websites a user accesses, and for covert data transmission. To achieve this, SSD contention side channels require accurate high-resolution timing measurements of I/O operations, e.g., through the io_uring kernel API. However, the impact of these attacks is limited in their requirement for native code execution on the victim’s system.
In this paper, we show that SSD contention side channels can be mounted by a remote attacker from within the browser, without native code execution. Our attack FROST targets the Origin Private File System (OPFS) API in JavaScript, allowing us to create and access files on the disk, within the browser’s sandboxed environment. While a challenge in prior work was to evict the OS page cache, we devise an approach that instead bypasses the page cache, enabling fast SSD contention measurements from JavaScript without any user interaction. To evaluate the effectiveness of FROST on macOS and Linux, we build a covert channel that exfiltrates data from a native application to the malicious website with a true channel capacity of 661.63 bit/s on a Linux machine, and 891.77 bit/s on a macOS machine. To evaluate FROST in a side-channel scenario, we mount a website- and an application-fingerprinting attack on users of macOS systems. We can predict accessed websites with an F1 score of 88.95 %, and accessed application with an F1 score of 95.83 %, demonstrating the privacy implications our attack has on regular users.
Cite
@inproceedings{Weissteiner2026FROST,
author = {Weissteiner, Hannes and Weiser, Tobias and Czerny, Roland and Neela, Sudheendra Raghav and Rauscher, Fabian and Juffinger, Jonas and Gruss, Daniel},
booktitle = {DIMVA},
title = {{FROST: Fingerprinting Remotely using OPFS-based SSD Timing}},
year = {2026}
}