Google shares Spectre PoC targeting browser JavaScript engines

Google has published JavaScript proof-of-concept (PoC) code to demonstrate the practicality of using Spectre exploits targeting web browsers to access information from a browser's memory.

According to the Google Security Team, the PoC shared today works across a wide range of processor architectures, operating systems, and hardware generations.

Security mechanisms vendors have added to web browsers to protect users from Spectre attacks (e.g., Site Isolation, out-of-process iframes, Cross-Origin Read Blocking, and other Cross-Origin policies) don't actually block exploitation attempts.

Instead, they are protecting the users' sensitive data from being leaked into the attackers' hands by moving out of memory reachable during attacks.

Google advises web developers to use new security mechanisms to "mitigate Spectre-style hardware attacks and common web-level cross-site leaks."

The Chrome web platform security team also provides developers with guidance for Post-Spectre Web Development and for Mitigating Side-Channel Attacks.

Besides standard protections like X-Content-Type-Options and X-Frame-Options headers, Google recommends enabling the following policies as part of ongoing efforts to mitigate Spectre attacks:

• Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers allow developers to control which sites can embed their resources, such as images or scripts, preventing data from being delivered to an attacker-controlled browser renderer process. See resourcepolicy.fyi and web.dev/fetch-metadata.
• Cross-Origin Opener Policy (COOP) lets developers ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This adds an important process-level protection, particularly in browsers that don't enable full Site Isolation; see web.dev/coop-coep.
• Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the application have explicitly opted into being loaded. Today, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP; see web.dev/coop-coep.

The Google Security Team also created a prototype Chrome extension named Spectroscope to help security engineers and web developers protect their websites from Spectre.

Spectroscope works by scanning web apps for resources that may require enabling additional security defenses against Spectre attacks.

"Today, we're sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines," said Stephen Röttger and Artur Janc, Information Security Engineers at Google.

"We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector."

Google researchers created a dedicated interactive demo of the attack at leaky.page and published a detailed writeup on Github.

The goal of the in-browser proof-of-concept demo is to prove the feasibility of a web-based Spectre exploit, and it will not allow you to test if your device is vulnerable to such attacks.

A video demo showing the results of a successful attack using Google's PoC exploit on an Intel i7-6500U Ubuntu machine running Chrome 88 is embedded below. 

The Spectre security vulnerability was unveiled as a hardware bug by Google Project Zero security researchers in January 2018.

Attackers can exploit it on vulnerable systems to steal sensitive data, including passwords, documents, and any other data available in privileged memory.

Spectre (CVE-2017-5753) side-channel attacks affect modern Intel, AMD, and ARM processor models with support for branch prediction and speculative execution.

As Project Zero researchers also found, Spectre also impacts major operating systems (i.e., Windows, Linux, macOS, Android, and ChromeOS).

All major processor and OS vendors have released firmware patches and software fixes for Spectre since its discovery.

Last month, security researcher Julien Voisin found working exploits targeting Linux and Windows systems on VirusTotal.

The two exploits were uploaded on VirusTotal as part of a larger package: a cracked version of the CANVAS penetration testing tool leaked and traded online since at least December 2020.