



CPU-level data leakage technology is still in its infancy, and three years have passed.

A newly discovered side-channel attack targeting Google Chrome allows attackers to overcome web browser security defenses and use Specter-style attacks to obtain sensitive information.

A temporary execution side-channel attack called Spook.js can circumvent Chrome’s protection against speculative execution (Specter) exploits and steal credentials, personal data, and more.

This is due to the author of a treatise entitled Spook.js: Speculative Execution Attack on Chrome’s Strict Site Separation (PDF).

Specter attack

Specter, which set its global headline in 2018, exploits flaws in modern CPU optimization features to bypass security mechanisms that prevent different processes from accessing memory space with each other.

This allows different attacks on different types of applications, including web apps, allowing attackers to exploit how different applications and processes interact with processors and on-chip memory. You can steal sensitive information from various websites.

Google warns that Specter’s attacks on analytics websites remain a serious threat

Since then, browser vendors have taken various steps to make Specter-style attacks less vulnerable to exploitation.

Google Chrome introduced Strict Site Isolation, which prevents different web pages from sharing the same process. We also split the address space of each process into different 32-bit sandboxes (despite being a 64-bit application).

By limiting all values ​​to 32 bits, this is intended to prevent Specter attackers from crossing partition boundaries and further limit the disclosure of information described by researchers.

No longer isolated

Despite these protections in place, researchers at the University of Michigan, Adelaide University, Georgia Institute of Technology, and Tel Aviv University have found that Spook.js helps protect users from browser-based speculative execution. He said it indicates that the measures are inadequate. attack.

Specifically, it shows that the Chromes Strict Site Isolation implementation integrates web pages based on the eTLD + 1 domain, allowing attacker-controlled pages to extract sensitive information from pages in other subdomains. increase.

The following also shows how to bypass Chrome’s 32-bit sandbox mechanism. This is achieved using a type of confusion attack. This temporarily causes the Chrome JavaScript engine to work with the wrong type of object.

You can use this method to combine multiple 32-bit values ​​into a single 64-bit pointer. This allows you to read the entire process address space.

Finally, beyond the first proof of concept, we show an end-to-end attack that extracts a list of open pages, their content, and even sensitive information such as login credentials.

Proof of concept

A team of researchers showed how to use the attack to hijack a Tumblr account by attacking Chrome’s built-in credential manager and stealing the user’s credentials.

We also showed how Spook.js can recover the LastPass Chrome extension’s master password so that it can access all the credentials stored in the user’s password vault.

In addition to usernames and passwords, researchers were able to access many sensitive datasets stored in the memory of websites rendered in Chrome browsers or Chrome extensions.

Researchers can use the list of tabs on the same site that the user is currently open, the phone number, address, bank account information, username, password, and credit card number auto-filled by the credential administrator on the website. I said I can access it. The image of Google Photos that the user is currently viewing under certain circumstances.

Attacks are not limited to Google Chrome. It also succeeds with other Chromium-based browsers such as Microsoft Edge and Brave.

In response, Google has introduced Strict Extension Isolation. This is a feature that prevents multiple extensions from being merged into the same process due to lack of memory, which prevents Spook.js from reading the memory of other extensions.

Starting with Chrome version 92, strict extension isolation is enabled.

The researchers also advised: Web developers can instantly isolate untrusted user-supplied JavaScript code from all other content on their website and host all user-supplied JavaScript code in domains with different eTLD +1.

In this way, Strict Site Isolation does not integrate code containing potentially sensitive data provided by attackers into the same process and cannot cross process boundaries, so Spook.js also gets the data. Place it out of reach.

In addition, the site can register domain names in the Public Suffix List (PSL). PSL is maintained by Mozilla and is a list of domains that users can directly register their names with (even if the domain is not a true top-level domain).

If the eTLD + 1 domain exists in the PSL, Chrome will not consolidate the pages. That is, x.publicsuffix.com and y.publicsuffix.com are always separate.

Spook.js mitigation advice

When asked how users can protect from Spook.js, Jason Kim of Georgia Institute of Technology told The Daily Swig: In response to the attack, Google has introduced the Strict Extension Isolation, which prevents multiple extensions from being integrated into a single Chrome. To process.

Therefore, you can protect yourself from one version of the attack by upgrading to Chrome 92. However, some variants of Spook.js may still be possible due to the logic that Strict Site Isolation uses to determine if the site needs to be isolated.

Kim added: In these cases, the countermeasures should be deployed by the website administrator and web developer, not by individual users. Fortunately, effective use of Spook.js requires sufficient side-channel expertise. This raises the bar for potential attackers.

Meltdown and Specter from the archive, a year later: The feared CPU slowdown didn’t really happen

