Google emits data-leaking proof-of-concept Spectre exploit for Intel CPUs to really get everyone's attention

I don't believe it, I had to see it, I came back, I came back haunted

Google on Friday released proof-of-concept code for conducting a Spectre-based attack against its Chrome browser to show how web developers can take steps to mitigate browser-based side-channel attacks.

The code, posted to GitHub, demonstrates how an attacker can pull data from device memory at speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. According to Google, the attack should work on other browsers, even those running on Arm-based Apple M1 chips.

The code executes a timing attack, by which the attacker observes the time required to access memory and infers whether the selected address is in the cache or needs to be loaded, based on whether the operation was fast or slow.

Illustration of the Spectre logo on a chip next to an 'alert' warning

Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world


Armed with this information, the attacker can use a Spectre gadget – a code structure in memory – to test a JavaScript array and recover cached data. It has the potential to allow an attacker to exfiltrate encryption keys or other secrets stored in memory.

Google has also set up a webpage to demonstrate side-channel data leakage.

"The Spectre vulnerability, disclosed to the public in January 2018, makes use of a class of processor (CPU) design vulnerabilities that allow an attacker to change the intended program control flow while the CPU is speculatively executing subsequent instructions," explained Google security engineers Stephen Röttger and Artur Janc in a blog post.

As an example, they describe how a CPU may speculate incorrectly that a memory length check passes while the actual instruction path led to an out of bounds memory access.

"While the CPU state is rolled back once the misprediction is noticed, this behavior leaves observable side effects which can leak data to an attacker," they explain.

Youtube Video

The Google engineers say they also developed other PoCs with different properties that they aren't releasing. One, they claim, is capable of leaking data at a rate of 8kB/s, though that accelerated pace comes at the cost of diminished stability because it uses the API as a 5μs (0.005ms) precision timer. Another, with a timer of 1ms or worse, provided a data leakage rate of only 60B/s.

The PoC code they chose to release, they say, was due to the fact that it could be set up easily and because it works without a high-precision timer like SharedArrayBuffer. Google's software engineers managed to make their technique more effective against low-precision timers by figuring out a way to abuse the Tree-PLRU cache eviction strategy, used to clear data in many modern CPUs. And they've published a separate web demo to illustrate that particular strategy.

Röttger and Janc say they doubt the PoC could be useful for real-attacks without substantial modification. They contend it was necessary to publish the code to demonstrate that Spectre risks are real.

"In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites," they explain.

As we reported earlier this week, the W3C's Web Application Security Working Group is considering whether to support recommendations written by another Google security engineer, Mike West, that describe steps web developers should take to craft Spectre-resistant code. Röttger and Janc cite these same defense specifications (CORP, COOP, COEP, and so on) in the hope web developers will get the message. ®

Biting the hand that feeds IT © 1998–2021