We identify class of covert channels in browsers that are not mitigated by current defenses, which we call "pool-party" attacks. Pool-party attacks allow sites to create covert channels by manipulating limited-but-unpartitioned resource pools. These class of attacks have been known, but in this work we show that they are both more prevalent, more practical for exploitation, and allow exploitation in more ways, than previously identified. These covert channels have sufficient bandwidth to pass cookies and identifiers across site boundaries under practical and real-world conditions. We identify pool-party attacks in all popular browsers, and show they are practical cross-site tracking techniques (i.e., attacks take 0.6s in Chrome and Edge, and 7s in Firefox and Tor Browser). In this paper we make the following contributions: first, we describe pool-party covert channel attacks that exploit limits in application-layer resource pools in browsers. Second, we demonstrate that pool-party attacks are practical, and can be used to track users in all popular browsers; we also share open source implementations of the attack and evaluate them through a representative web crawl. Third, we show that in Gecko based-browsers (including the Tor Browser) pool-party attacks can also be used for cross-profile tracking (e.g., linking user behavior across normal and private browsing sessions). Finally, we discuss possible mitigation strategies and defenses

翻译：我们识别出一类未被现有防御措施缓解的浏览器隐蔽信道攻击，并将其命名为“池派对”攻击。此类攻击通过操纵有限但未隔离的资源池构建隐蔽信道。尽管这类攻击此前已有记载，但本研究证明其比先前认知的更为普遍、更易实际利用，且存在更多利用方式。在实际网络环境下，这些隐蔽信道具备足够带宽以在跨站点边界传递Cookie及标识符。我们在所有主流浏览器中均发现了池派对攻击，并证明它们是实用的跨站点追踪技术（例如，在Chrome和Edge中攻击耗时0.6秒，在Firefox和Tor浏览器中为7秒）。本文贡献包括：首先，描述了利用浏览器应用层资源池限制实现的池派对隐蔽信道攻击；其次，通过代表性网络爬取实验演示了池派对攻击的实用性——该攻击可在所有主流浏览器中追踪用户，并开源了攻击实现代码；再次，证明了在基于Gecko内核的浏览器（包括Tor浏览器）中，池派对攻击还可用于跨用户画像追踪（例如关联正常浏览与隐私浏览会话中的用户行为）；最后，讨论了可能的防御策略与缓解方案。