Google published several prototype exploits, showing the possibility of exploiting the Specter class vulnerabilities when executing JavaScript code in a browser bypassing previously added protection methods. Exploits can be used to gain access to the memory of a process that is processing web content in the current tab. To test the exploit, the site leaky.page was launched, and the code describing the logic was running hosted on GitHub.
The proposed prototype is designed to attack systems with Intel Core i7-6500U processors in an environment with Linux and Chrome 88. Changes are required to use the exploit for other environments. The method of operation is not specific for Intel processors – after appropriate adaptation, the exploit was confirmed to work on systems with CPUs from other manufacturers, including the Apple M1 based on ARM architecture. After minor adjustments, the exploit also works on other operating systems and other browsers based on the Chromium engine.
In an environment based on stock Chrome 88 and Intel Skylake processors, we managed to achieve data leakage from the process responsible for processing web content in the current Chrome tab ( renderer process ), at a speed of 1 kilobyte per second. Additionally, alternative prototypes were developed, for example, an exploit that allows, at the cost of reduced stability, to increase the leakage rate to 8kB / s when using the performance.now () timer with an accuracy of 5 microseconds (0.005 milliseconds). A variant was also prepared that works with a timer precision of one millisecond, which could be used to organize access to the memory of another process at a rate of about 60 bytes per second.
The published demo code consists of three parts. The first part calibrates the timer to estimate the execution time of the operations required to recover the data remaining in the processor cache as a result of speculative execution of CPU instructions. The second part defines the memory layout used when allocating the JavaScript array.
The third part directly exploits the Specter vulnerability to determine the contents of the memory of the current process as a result of creating conditions for speculative execution of certain operations, the result of which is discarded by the processor after determining a failed forecast, but the traces of execution settle in the shared cache and can be restored using detection methods cache content via side channels that analyze changes in access time to cached and non-cached data.
The proposed exploitation technique eliminates the need for high-precision timers available through the API performance.now ()