Google has released proof-of-concept (PoC) exploit code, which leverages the Spectre attack against the Chrome browser to leak data from websites.
Three years after the Spectre attack was first disclosed, researchers with Google have now released a demonstration website that leverages the attack, written in JavaScript, to leak data at a speed of 1 kilobyte per second (kbps) when running on Chrome 88 on an Intel Skylake CPU.
The researchers said they hope the PoC will light a fire under web application developers to take active steps to protect their sites.
“Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines,” said Stephen Röttger and Artur Janc, information security engineers with Google, on Friday. “We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector.”
Spectre and Speculative-Execution Attacks
The Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) flaws rocked the silicon industry when the vulnerabilities were made public in early 2018. These vulnerabilities derive from a process called speculative execution in processors. It’s is used in microprocessors so that memory can read before the addresses of all prior memory writes are known; an attacker with local user access can use a side-channel analysis to gain unauthorized disclosure of information.
What originally set Spectre apart was its sheer breadth in terms of affected devices – the attack impacted many modern processors, including those made by Intel and AMD; as well as major operating systems like Android, ChromeOS, Linux, macOS and Windows. One variant, Variant 1, (CVE-2017-5753) also related to JavaScript exploitation against browsers.
At the same time, after the public disclosure of Spectre, hardware and software manufacturers, as well as browser-makers, released various mitigations against the attacks.
The Spectre PoC Exploit
At a high level, the PoC is comprised of a Spectre “gadget,” or code, that triggers attacker-controlled transient execution, and a side channel that serves as a method for attackers to observe the side effects of this transient execution (and thus view various sensitive data — which could include passwords stored in a browser, personal photos, emails, instant messages and even business-critical documents). A video demo of the PoC can be viewed below.
The PoC builds on 2018 research from the team behind the V8 browser engine. The research shows that one potential mitigation of Spectre, reduced timer granularity, does not sufficiently mitigate against the attack. That’s because attackers can amplify timing differences in order to increase the odds of capturing sensitive data, according to the research.
However, the technique stemmed from reading sensitive data multiple times — which Google researchers argued can reduce the effectiveness of the attack if the information leak is subject to chance variation.
Researchers with Google said they overcame this limitation with their new PoC. This new method relies on Tree-PLRU, which is a cache algorithm used to clear data in various CPUs: “By abusing the behavior of the Tree-PLRU cache eviction strategy commonly found in modern CPUs, we were able to significantly amplify the cache timing with a single read of secret data,” said researchers. “This allowed us to leak data efficiently even with low precision timers.”
Researchers said they don’t believe the PoC can be re-used for nefarious purposes “without significant modifications” – however, they hope that the release of the PoC “provides a clear signal for web-application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites.”
This is especially needed as Spectre exploits continue to pop up; working Windows and Linux Spectre exploits were uploaded to VirusTotal earlier this month, for instance.
Such protections could include implementing cross-origin resource policy (CORP) and fetch metadata request headers, allowing developers to control which sites can embed their resources and preventing data from being delivered to an attacker-controlled browser.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)