Google has released proof-of-concept (PoC) exploit code, which leverages the Spectre attack against the Chrome browser to leak data from websites.
The researchers said they hope the PoC will light a fire under web application developers to take active steps to protect their sites.
Spectre and Speculative-Execution Attacks
The Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) flaws rocked the silicon industry when the vulnerabilities were made public in early 2018. These vulnerabilities derive from a process called speculative execution in processors. It’s is used in microprocessors so that memory can read before the addresses of all prior memory writes are known; an attacker with local user access can use a side-channel analysis to gain unauthorized disclosure of information.
At the same time, after the public disclosure of Spectre, hardware and software manufacturers, as well as browser-makers, released various mitigations against the attacks.
The Spectre PoC Exploit
At a high level, the PoC is comprised of a Spectre “gadget,” or code, that triggers attacker-controlled transient execution, and a side channel that serves as a method for attackers to observe the side effects of this transient execution (and thus view various sensitive data — which could include passwords stored in a browser, personal photos, emails, instant messages and even business-critical documents). A video demo of the PoC can be viewed below.
The PoC builds on 2018 research from the team behind the V8 browser engine. The research shows that one potential mitigation of Spectre, reduced timer granularity, does not sufficiently mitigate against the attack. That’s because attackers can amplify timing differences in order to increase the odds of capturing sensitive data, according to the research.
However, the technique stemmed from reading sensitive data multiple times — which Google researchers argued can reduce the effectiveness of the attack if the information leak is subject to chance variation.
Researchers with Google said they overcame this limitation with their new PoC. This new method relies on Tree-PLRU, which is a cache algorithm used to clear data in various CPUs: “By abusing the behavior of the Tree-PLRU cache eviction strategy commonly found in modern CPUs, we were able to significantly amplify the cache timing with a single read of secret data,” said researchers. “This allowed us to leak data efficiently even with low precision timers.”
Researchers said they don’t believe the PoC can be re-used for nefarious purposes “without significant modifications” – however, they hope that the release of the PoC “provides a clear signal for web-application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites.”
Such protections could include implementing cross-origin resource policy (CORP) and fetch metadata request headers, allowing developers to control which sites can embed their resources and preventing data from being delivered to an attacker-controlled browser.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: