Google released proof-of-concept code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.
Google released proof-of-concept code for conducting a Spectre attack against its Chrome browser on GitHub. The experts decided to publish the proof of concept code to demonstrate the feasibility of a web-based Spectre exploit.
Google researchers speculate the PoC code works on other CPUs (different vendor and/or generation), operating systems and Chromium flavors.
Below the description of the demo published on a site set up by Google to host the PoC code.
“This demo is split into three parts:
Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.
To protect systems from bot Meltdown and Spectre attacks it is possible to implement the hardening technique known as kernel page table isolation (KPTI). The technique allows isolating kernel space from user space memory.
The PoC code released by Google allows to recover cached data from the memory, including sensitive data such as the encryption keys.
The released PoC code could be easily set up because it works without a high-precision timer like SharedArrayBuffer.
Google experts also developed other PoC exploits s with different properties, but they did not release them. One of these PoC codes allows leaking data at a rate of 8kB/s, but it is less stable due to the use of the performance.now() API as a 5μs (5000ms) precision timer. Another PoC uses a timer of 1ms or worse and allows to leak data at a rate of only 60B/s.
Google recommends developers to use new security mechanisms to Spectre hardware attacks and common web-level cross-site leaks.
Standard protections include X-Content-Type-Options, X-Frame-Options headers, and the use of SameSite cookies. but researchers also recommend enabling the following protections:
Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers allow developers to control which sites can embed their resources, such as images or scripts, preventing data from being delivered to an attacker-controlled browser renderer process. See resourcepolicy.fyi and web.dev/fetch-metadata.Cross-Origin Opener Policy (COOP) lets developers ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This adds an important process-level protection, particularly in browsers which don’t enable full Site Isolation; see web.dev/coop-coep.Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the application have explicitly opted in to being loaded. Today, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP; see web.dev/coop-coep.The Google Security Team released a prototype Chrome extension named Spectroscope that allows web developers to protect their websites from Spectre.