Google: This Spectre proof-of-concept shows how dangerous these attacks can be

Google issues a new warning about Spectre attacks using JavaScript to leak data from one site to another.

Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. 

Google in 2018 detailed two variants of Spectre, one of which – dubbed variant 1 (CVE-2017-5753) – concerned Javascript exploitation against browsers. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another malicious site.

SEE: Hiring Kit: Python developer (TechRepublic Premium)

Web developers can visit Google's new page – at https://leaky.page – to see a demo of Spectre in JavaScript, a video demo on YouTube and a detailed write up of the PoC on GitHub

Google released the PoC for developers of web applications to understand why it's important to deploy application-level mitigations. At a high level, as detailed in a Google document on W3C, a developer's "data must not unexpectedly enter an attacker's process".      

While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U 'Skylake' CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. It was even successful on Apple's M1 Arm CPU with minor modifications. The attack can leak data at a rate of 1kB per second. 

The chief components of the PoC are a Spectre version 1 "gadget" or code that triggers attacker-controlled transient execution; and a side-channel or "a way to observe side effects of the transient execution". 

"The web platform relies on the origin as a fundamental security boundary, and browsers do a pretty good job at preventing explicit leakage of data from one origin to another," explained Google's Mike West

"Attacks like Spectre, however, show that we still have work to do to mitigate implicit data leakage. The side-channels exploited through these attacks prove that attackers can read any data which enters a process hosting that attackers' code. These attacks are quite practical today, and pose a real risk to users."

While Google and other browser vendors have developed mitigations for Spectre, such as Site Isolation, they don't prevent exploitation of Spectre, explain Stephen Röttger and Artur Janc, Google information security engineers. 

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

"Rather, [these mitigations] protect sensitive data from being present in parts of the memory from which they can be read by the attacker," they note in a blogpost.  

"While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker's process," they explain. 

Google has also released a new prototype Chrome extension called Spectroscope that scans an application to find resources that may require enabling additional defenses.  

Röttger and Janc note that the Variant 1 gadget can be mitigated at a software level. However, the V8 team has found that mitigation of Spectre Variant 4 or Speculative Store Bypass (SSB) is "simply infeasible in software".