Google has released proof of concept that shows the practicality of Specter exploits in modern JavaScript engines in web browsers. The code is there and you can try it yourself leaky.page website.
Google’s Leaky.Page code shows that it’s possible to leak data at about 1 KB / s when running the Chrome web browser on a Skylake processor. The proof-of-concept code is for Intel Skylake CPUs, while it should work for other processors and browsers with minor changes to JavaScript. Google also managed to run this Leaky.Page attack on Apple M1 ARM processors without major changes.
Google also protected code capable of leaking data at a rate of 8kB / s, but with lower stability. On the other hand, they have proof code of the concept using JavaScript timers that can run at 60B / s.
Google Leaky.Page PoC is a Specter V1 gadget that is a speculatively accessible JavaScript matrix out of bounds. While the V1 gadget can be software attenuated, Chrome’s V8 team has determined that other gadgets, such as Specter Variant 4, would be “simply invisible in the software” for attenuation.
Learn more about the latest Google Specter discoveries through the Google Security Blog. The Spectrum code of proof of concept can be found at leaky.page.