It has been more more than three years since researchers released a pair of security vulnerabilities, known as Specter and Meltdown, that revealed fundamental flaws in how most modern computer processors manipulate data to maximize efficiency. Although they affect an astronomical number of computing devices, so-called speculative execution bugs are relatively difficult to exploit in practice. But now Google researchers have developed a proof of concept that shows the danger that Specter attacks pose to the browser – in the hope of motivating a new generation of defenses.
Researchers never doubted that Specter it could be exploited for browser-based hacks. Each program running on a computer executes its instructions and processes its data through the computer’s processor and memory, making all of this information potentially vulnerable to speculative execution attacks. This includes browsers, which load data from web servers and then display the content on individual users’ devices through a local feature called the rendering engine. A Specter browser hack would basically launch an attack from a web page the victim is visiting to obtain data from other open pages. These hacks can even be used to impersonate a target and extract more data from the web applications they are connected to.
In the years since Specter and Meltdown’s initial revelations, this specific type of attack has never been seen in nature, and it was unclear how practical the method would be. Google’s proof of concept for its own Chrome browser not only illustrates the feasibility, but it also suggests strategies for browsers and web developers to protect themselves more comprehensively against such attacks.
“When I shared the exploit with the Chrome security team and the product security team, at that point everyone was like, ‘OK, wow, it’s very clear that this is the impact,’” said Stephen Röttger, security engineer at Google. “Based on that, we made several decisions to put more resources into implementing Spectrum defenses in our web frameworks.”
In recent years, Chrome and other mainstream browsers have implemented a practice called “site isolation” to render web pages separately and isolate your data from each other. Since Specter attacks are aimed at inducing a processor to leak data at an opportune time, isolating the site makes it much more difficult for a hacker to obtain the confidential information he wants, since the data is not all flowing through the processor in the same place. at the same time. Browsers have also added related defenses to load components from a single website separately (such as the company’s own logo versus third-party ads) and to block the flow of data in both directions between two pages when reciprocity is not vital.
These types of defense cannot prevent Specter attacks at once. Instead, they reduce the chances that a wrongdoer will be able to obtain any useful or private information from the processor if he launches such a hack. The proof of concept by Röttger and his colleagues reveals more subtle ways that browsers, including Chromium-based browsers like Microsoft Edge, can implement these types of defenses. But it also highlights the ways in which web developers can architect their platforms and applications differently to preserve functionality while blocking user information even more strategically.
“We think we’ve already thought about what developers need to do to protect themselves and the set of things they need to do isn’t incredibly big,” says Mike West, head of Chrome platform security and co-president of the World Wide Web Consortium web group application security workspace. “The real job, and the reason that browsers can’t do this on behalf of the developer, is that the decisions that need to be made are application-specific. They will involve an analysis of the things that your server offers for the internet and the ways in which these things should be offered. “
Google is working through the W3C, an international standards body, to propose guidelines and best practices for browsers and web developers. The strategy has worked for Google before, as in its effort to help move the needle in massive initiatives like promoting HTTPS encryption on the web. But West recognizes that it takes time for the entire web community to accept these types of structural changes.