It’s more more than three years since researchers revealed a pair of security vulnerabilities, known as Specter and Meltdown, which revealed fundamental flaws in the way most modern computer processors process data for maximize efficiency. While affecting an astronomical number of computing devices, so-called speculative execution bugs are relatively difficult to exploit in practice. But now Google researchers have developed a proof of concept that shows the danger Specter attacks pose to the browser – in hopes of motivating a new generation of defenses.
Researchers have never doubted that Specter could be exploited for browser-based hacks. Every program that runs on a computer executes its instructions and transforms its data through the computer’s processor and memory, making all of this information potentially vulnerable to speculative execution attacks. This includes browsers, which load data from web servers and then display the content on individual users’ devices through a local feature called a renderer. A Specter browser hijack would essentially launch an attack from a web page visited by a victim to retrieve data from other pages they have opened. Such hacks could even be used to impersonate a target in order to extract more of their data from the web applications they are connected to.
In the years since Specter and Meltdown’s initial revelations, this specific type of attack has never been seen in the wild, and it was not clear how practical the method would be. Google’s proof of concept for its own Chrome browser not only illustrates the feasibility, but also suggests strategies for browsers and web developers to more fully guard against such attacks.
“When I shared the exploit with the Chrome security team and the product security team, at that point, everyone was like, ‘OK, wow, that’s very clear, this ‘is the impact, ”says Stephen Röttger, security engineer at Google. “Based on this, we have made a number of decisions to devote more resources to deploying Specter defenses in our web frameworks.”
Over the past few years, Chrome and other mainstream browsers have implemented a practice called “site isolation” to make web pages separate and their data separate from each other. Since Specter attacks are all about tricking a processor into leaking data at the right time, site isolation makes it much more difficult for a hacker to retrieve the sensitive information they want because not all data travels through by the processor in the same place. at a time. Browsers have also added associated defenses to separately load components of a single website (such as a company’s logo versus third-party advertisements) and to prevent data from flowing back and forth between two pages when reciprocating is not vital.
These types of defenses cannot completely stop Specter attacks. Instead, they reduce the chances that a bad actor could retrieve useful or private information from the processor if they initiate such a hack. Röttger and colleagues’ proof of concept reveals more nuanced ways than browsers, including Chromium-based browsers like Microsoft Edge, can implement these types of defenses. But it also highlights ways web developers could architect their platforms and applications differently to preserve functionality while locking down user information even more strategically.
“We think we’ve thought about what developers need to do to protect themselves and the set of things they need to do isn’t overwhelmingly large,” says Mike West, Platform Security Manager Chrome and co-chair of the World Wide Web Consortium Web. application security working group. “The real job and the reason browsers can’t do it on behalf of the developer is that the decisions to be made are application specific. They are going to involve an analysis of what your server is offering to the Internet and how those things should be offered. “
Google is working with the W3C, an international standards body, to provide guidelines and best practices for browsers and web developers. The strategy has already worked for Google, as in its efforts to help move the needle on massive initiatives like promote HTTPS web encryption. But West recognizes that it takes time to involve the entire web community in these types of structural changes.