It was more over three years since researchers unveiled a pair of security vulnerabilities, known as Specter and Meltdown, that have revealed fundamental flaws in how most modern computer processors manage data to maximize efficiency. Although they affect an astronomical number of computing devices, so-called speculative execution bugs are relatively difficult to exploit in practice. But now Google researchers have developed evidence of the concept that shows the danger that Specter attacks pose to the browser – hoping to motivate a new generation of defense.
Researchers have never doubted this spectrum could to be exploited for browser-based hacks. Every program running on a computer executes its instructions and restricts its data through the computer’s processor and memory, making all this information potentially vulnerable to speculative execution attacks. This includes browsers, which upload data from web servers and then display content on individual users’ devices through a local feature called the play engine. A Specter browser hack would essentially launch an attack on a web page that a victim is visiting to retrieve data from other pages they have opened. Such hacks could even be used to identify a target to extract more data from the web applications to which they are connected.
In the years since the initial Specter and Meltdown revelations, that specific type of attack was never seen in the wild and it was unclear how practical the method would be. Proof of Google’s concept of Chrome’s own browser not only illustrates feasibility, but also suggests strategies for browsers and web developers to protect themselves more fully from such attacks.
“When I shared the operation with the Chrome security team and the product security team, then everyone said, ‘OK, wow, it’s very clear that’s the impact,'” says Stephen Röttger, a security engineer at Google. “Based on this, we have made a lot of decisions to put more resources into implementing Specter defense systems in our web.”
Over the past few years, Chrome and other mass browsers have implemented a practice called “site isolation” to render web pages separately and separate data from each other. Because Specter attacks are about inducing a processor to leak data at the right time, isolating the site makes it much more difficult for a hacker to get the sensitive information they want, because not all data flows through the processor in one place. at the same time. Browsers have also added related defenses to load components of a single website separately (such as a company logo from third-party ads) and to block data flow in both directions between two pages when reciprocity is not vital.
These types of defenses cannot completely stop Specter attacks. Instead, they reduce the chances that a bad actor can get useful or private information from the processor if he launches such a hack. Proof of the concept from Röttger and colleagues reveals more nuanced ways in which browsers, including Chromium-based browsers such as Microsoft Edge, can implement these types of defenses. But it also highlights ways in which web developers could architect their platforms and applications differently to preserve functionality, while blocking even more strategic user information.
“We think we’ve wrapped our heads around what developers need to do to protect themselves, and the set of things they need to do is not surprisingly large,” said Mike West, head of security for Chrome and web chair of the World Wide Web Consortium application security working group. “The real work and the reason why browsers can’t do it on behalf of the developer is that the decisions that need to be made are application-specific. They will involve an analysis of the things that your server offers to the internet and the ways in which these things should be offered. ”
Google is working through the W3C, an international standardization body, to provide guidance and best practices for both browsers and web developers. The strategy has also worked for Google, as well as in its effort to help move the needle to massive initiatives such as promoting HTTPS web encryption. But West acknowledges that it takes time to get the entire web community on board with these types of structural changes.