Google published its proof-of-concept code showing the practicality of Specter exploits in the JavaScript engines of modern web browsers. The code is available and you can even try it out on leaky.page on the Internet network.
Google’s Leaky.Page code shows that it is possible to leak data at around 1kB / s when running the Chrome browser on a Skylake CPU. The proof of concept code is provided for Intel Skylake CPUs, although it should also work for other processors and browsers with minor JavaScript modifications. Google has also succeeded in running this Leaky.Page attack on Apple M1 ARM CPUs without major changes.
Google also made a prototype of code capable of leaking data at a rate of 8kB / s, but with less stability. On the other hand, they have proof-of-concept code using JavaScript timers that can leak at 60B / s.
Google’s Leaky.Page PoC is a Specter V1 gadget that is a JavaScript array that is accessed speculatively out of bounds. While the V1 gadget can be mitigated at the software level, the Chrome V8 team has determined that other gadgets, such as the Specter Variant 4, are “simply not viable in software” to mitigate.
More details on the latest Google Specter discoveries through the Google Security Blog. The proof of concept Specter code can be found at leaky.page.