Google has published their proof-of-concept code showing the usability of Specter exploits in the JavaScript engines of modern web browsers. The code is there and you can even try it yourself leaking page website.
Google’s Leaky.Page code shows that it is possible to leak data at around 1kB / s speed when running their Chrome web browser on a Skylake CPU. The proof-of-concept code is intended for Intel Skylake CPUs, while it should also work for other processors and browsers with minor JavaScript tweaks. Google was also successful in executing this Leaky.Page attack on Apple M1 ARM CPUs without major changes.
Google has also prototyped a code that can leak data at a speed of 8kB / s, but with a lower stability. On the other hand, they have proof-of-concept code with JavaScript timers that can leak at 60B / s.
Google’s Leaky.Page PoC is a Specter V1 gadget that is a JavaScript array that is speculatively accessed out of bounds. While the V1 gadget can be mitigated at the software level, Chrome’s V8 team has determined that other gadgets, such as for Specter Variant 4, are “just not feasible in software” to mitigate them.
Learn about Google’s latest Specter findings from the Google Security Blog. The proof-of-concept Specter code can be found at leaky.page.