Hacking

Google releases Spectre PoC code exploit for Chrome browser

Google released proof-of-concept code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.

Google released proof-of-concept code for conducting a Spectre attack against its Chrome browser on GitHub. The experts decided to publish the proof of concept code to demonstrate the feasibility of a web-based Spectre exploit. 

The PoC code was written in JavaScript and works on Chrome 88 on an Intel Skylake CPU, it allows extracting data from device memory at speed of 1kB/s.

“Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector.” reads the post published by Google. “We have developed an interactive demonstration of the attack available at https://leaky.page/; the code and a more detailed writeup are published on Github here.”

Google researchers speculate the PoC code works on other CPUs (different vendor and/or generation), operating systems and Chromium flavors.

Below the description of the demo published on a site set up by Google to host the PoC code.

“This demo is split into three parts:

  1. Calibrating the timer to observe side effects of the CPU’s speculative execution.
  2. A demonstration that infers the memory layout of a JavaScript array.
  3. The Spectre proof of concept itself, leaking memory of your browser’s renderer process.”

In January 2018, the expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to steal sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

To protect systems from bot Meltdown and Spectre attacks it is possible to implement the hardening technique known as kernel page table isolation (KPTI). The technique allows isolating kernel space from user space memory.

The PoC code released by Google allows to recover cached data from the memory, including sensitive data such as the encryption keys.

The released PoC code could be easily set up because it works without a high-precision timer like SharedArrayBuffer.

“For the published PoC, we implemented a simple Variant 1 gadget: a JavaScript array is speculatively accessed out of bounds after training the branch predictor that the compiler-inserted length check will succeed.” continues Google. “This particular gadget can be mitigated at the software level; however, Chrome’s V8 team concluded that this is not the case for other gadgets: “we found that effective mitigation of some variants of Spectre, particularly variant 4, to be simply infeasible in software.” We invite the security community to extend our research and develop code that makes use of other Spectre gadgets.”

Google experts also developed other PoC exploits s with different properties, but they did not release them. One of these PoC codes allows leaking data at a rate of 8kB/s, but it is less stable due to the use of the performance.now() API as a 5μs (5000ms) precision timer. Another PoC uses a timer of 1ms or worse and allows to leak data at a rate of only 60B/s.

Google recommends developers to use new security mechanisms to Spectre hardware attacks and common web-level cross-site leaks.

Standard protections include X-Content-Type-Options, X-Frame-Options headers, and the use of SameSite cookies. but researchers also recommend enabling the following protections:

  • Cross-Origin Opener Policy (COOP) lets developers ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This adds an important process-level protection, particularly in browsers which don’t enable full Site Isolation; see web.dev/coop-coep.
  • Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the application have explicitly opted in to being loaded.  Today, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP; see web.dev/coop-coep.

The Google Security Team released a prototype Chrome extension named Spectroscope that allows web developers to protect their websites from Spectre.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Spectre)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

10 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

16 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.