Google Releases PoC Exploit for Browser-Based Spectre Attack

Google last week announced the release of proof-of-concept (PoC) code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.

Initially detailed in early 2018 alongside Meltdown, the side-channel attack could allow a malicious application to access data being processed on the device. The vulnerability could expose passwords, documents, emails, data from instant messaging apps, and more.

Since the public disclosure of Meltdown and Spectre, both hardware makers and software developers alike have been working on devising protections against similar flaws, and browser makers too have been implementing application-level mitigations.

In 2019, the Google team responsible for Chrome’s V8 JavaScript engine said that the attack can’t be mitigated at the software level, arguing that security boundaries in browsers should be aligned with low-level primitives, such as process-based isolation.

To keep their users safe, browser makers have already implemented protections such as Site Isolation, Cross-Origin Read Blocking, and out-of-process iframes, with a variety of security features available for other application developers as well, including Cross-Origin Resource and Cross-Origin Opener Policies, and more.

The purpose of these mechanisms is to prevent sensitive data from being present in memory sections that an attacker could read. However, they do not prevent Spectre exploitation.

In order to assess the effectiveness of such mitigations, Google’s researchers have released JavaScript PoC code functional across multiple operating systems, architectures, and hardware variants, and which “confirms the practicality of Spectre exploits against JavaScript engines.”

While Chrome has been used to demonstrate the attack, the exploited issues are not specific to Google’s browser, but affect other modern browsers as well. An interactive demonstration of the attack can be accessed on this page, while the code and technical details were published on Github.

“The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes,” Google explains.

In addition to releasing the PoC, Google is making recommendations (Post-Spectre Web Development and Mitigating Side-Channel Attacks) on how web developers can improve site isolation to deny access to cross-origin resources, thus effectively mitigating Spectre-style hardware attacks, among others.

Such mitigations include Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers, Cross-Origin Opener Policy (COOP), and Cross-Origin Embedder Policy (COEP), along with standard protections, such as the X-Frame-Options and X-Content-Type-Options headers, along with SameSite cookies.

“It’s important to note that while […] the mechanisms […] are important and powerful security primitives, they don’t guarantee complete protection against Spectre; they require a considered deployment approach which takes behaviors specific to the given application into account,” Google notes.

Related: Microsoft Brings Hardware-Based Isolation to Chrome, Firefox

Related: Should You Be Concerned About the Recently Leaked Spectre Exploits?