Pierluigi Paganini March 14, 2021

Google released proof-of-concept code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.

Google released proof-of-concept code for conducting a Spectre attack against its Chrome browser on GitHub. The experts decided to publish the proof of concept code to demonstrate the feasibility of a web-based Spectre exploit. 

The PoC code was written in JavaScript and works on Chrome 88 on an Intel Skylake CPU, it allows extracting data from device memory at speed of 1kB/s.

“Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector.” reads the post published by Google. “We have developed an interactive demonstration of the attack available at https://leaky.page/; the code and a more detailed writeup are published on Github here.”

Google researchers speculate the PoC code works on other CPUs (different vendor and/or generation), operating systems and Chromium flavors.

Below the description of the demo published on a site set up by Google to host the PoC code.

“This demo is split into three parts:

1. Calibrating the timer to observe side effects of the CPU’s speculative execution.
2. A demonstration that infers the memory layout of a JavaScript array.
3. The Spectre proof of concept itself, leaking memory of your browser’s renderer process.”

In January 2018, the expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to steal sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

To protect systems from bot Meltdown and Spectre attacks it is possible to implement the hardening technique known as kernel page table isolation (KPTI). The technique allows isolating kernel space from user space memory.

The PoC code released by Google allows to recover cached data from the memory, including sensitive data such as the encryption keys.

The released PoC code could be easily set up because it works without a high-precision timer like SharedArrayBuffer.

“For the published PoC, we implemented a simple Variant 1 gadget: a JavaScript array is speculatively accessed out of bounds after training the branch predictor that the compiler-inserted length check will succeed.” continues Google. “This particular gadget can be mitigated at the software level; however, Chrome’s V8 team concluded that this is not the case for other gadgets: “we found that effective mitigation of some variants of Spectre, particularly variant 4, to be simply infeasible in software.” We invite the security community to extend our research and develop code that makes use of other Spectre gadgets.”

Google experts also developed other PoC exploits s with different properties, but they did not release them. One of these PoC codes allows leaking data at a rate of 8kB/s, but it is less stable due to the use of the performance.now() API as a 5μs (5000ms) precision timer. Another PoC uses a timer of 1ms or worse and allows to leak data at a rate of only 60B/s.

Google recommends developers to use new security mechanisms to Spectre hardware attacks and common web-level cross-site leaks.

Standard protections include X-Content-Type-Options, X-Frame-Options headers, and the use of SameSite cookies. but researchers also recommend enabling the following protections:

• Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers allow developers to control which sites can embed their resources, such as images or scripts, preventing data from being delivered to an attacker-controlled browser renderer process. See resourcepolicy.fyi and web.dev/fetch-metadata.

• Cross-Origin Opener Policy (COOP) lets developers ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This adds an important process-level protection, particularly in browsers which don’t enable full Site Isolation; see web.dev/coop-coep.

• Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the application have explicitly opted in to being loaded.  Today, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP; see web.dev/coop-coep.

The Google Security Team released a prototype Chrome extension named Spectroscope that allows web developers to protect their websites from Spectre.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Spectre)

[adrotate banner=”5″]

[adrotate banner=”13″]