GitHub - HenBOMB/frost-guard: FROST (Fingerprinting Remotely using OPFS-based SSD Timing) is a browser-based side-channel attack that lets malicious websites spy on your system activity — detecting which websites you visit and which applications you open — by measuring SSD contention through the Origin Private File System (OPFS) API. · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

HenBOMB

frost-guard

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>1 Commit<br>1 Commit

dist

dist

manifests

manifests

src

src

README.md

README.md

build.sh

build.sh

View all files

Repository files navigation

❄️ FROST Guard

Browser extension that protects against the FROST side-channel attack.

FROST (Fingerprinting Remotely using OPFS-based SSD Timing) is a browser-based side-channel attack that lets malicious websites spy on your system activity — detecting which websites you visit and which applications you open — by measuring SSD contention through the Origin Private File System (OPFS) API. No user interaction is required; the attack runs silently in the background.

FROST Guard neutralizes this attack at the API level, before it can collect any data.

How the Attack Works

A malicious website creates a large file via OPFS (bigger than your RAM) — no permissions needed

The file is too big for the OS page cache, so every read hits the physical SSD

The site measures SSD access latency with performance.now() to detect contention from your other activities

A machine-learning classifier identifies which websites you visit (F1: 89%) and which apps you open (F1: 96%)

How FROST Guard Stops It

Defense Layer<br>What It Does<br>Why It Works

OPFS Size Cap<br>Limits OPFS storage to 512 MB per origin (configurable)<br>File stays in the page cache → reads never hit the SSD → zero contention signal

Timer Fuzzing<br>Adds ±100 µs random jitter to performance.now() when OPFS is active<br>The attack needs sub-100 µs accuracy; jitter makes measurements useless

Worker Injection<br>Injects the same defenses into Web Workers created by the page<br>The attack uses FileSystemSyncAccessHandle in workers; this closes that path

Activity Monitor<br>Tracks OPFS usage per origin and alerts on suspicious behavior<br>You'll know immediately if a site tries to exploit you

Installation

Chrome / Edge / Brave (Chromium)

Download or build frost-guard-chrome.zip (see Building)

Go to chrome://extensions/

Enable Developer mode (top right)

Click Load unpacked and select the extracted dist/chrome/ folder

FROST Guard appears in your toolbar — you're protected ❄️

Firefox

Download or build frost-guard-firefox.zip (see Building)

Go to about:debugging#/runtime/this-firefox

Click Load Temporary Add-on and select manifest.json from the extracted dist/firefox/ folder

For permanent installation, the extension must be signed via addons.mozilla.org

Note: Firefox support requires Firefox 128+ (for world: "MAIN" content script support).

Building

# Clone the repo<br>git clone https://github.com/YOUR_USERNAME/frost-guard.git<br>cd frost-guard

# Build both targets<br>./build.sh

# Or build one target<br>./build.sh chrome<br>./build.sh firefox

Output:

dist/<br>├── frost-guard-chrome.zip<br>├── frost-guard-firefox.zip<br>├── chrome/ ← load this as unpacked extension<br>└── firefox/ ← load this as temporary add-on

Requirements: zip command (pre-installed on most systems).

Configuration

Click the FROST Guard icon in your toolbar for a quick status view, or go to Settings for full control:

Setting<br>Default<br>Description

OPFS Size Cap<br>512 MB<br>Max OPFS storage per origin. Keep below your RAM size.

Timer Jitter<br>±100 µs<br>Noise added to performance.now() when OPFS is active.

Notifications<br>On<br>Alert when an attack is blocked.

Allowlist<br>Empty<br>Origins that bypass protections (e.g., figma.com).

Allowlist Guidance

Some legitimate web apps use large OPFS files (browser-based IDEs, design tools, video editors). If an app you trust stops working, add its origin to the allowlist. Only allowlist sites you fully...