It has been more more than three years ago that researchers uncovered a few security vulnerabilities, known as Specter and Meltdown, that revealed fundamental flaws in the way most modern computer processors process data to maximize efficiency. Although they affect an astronomical number of computer equipment, the so-called speculative execution bugs are relatively difficult to exploit in practice. But now, Google researchers have developed a proof-of-concept that shows the danger of Specter attacks to the browser – hoping to motivate a new generation of defense mechanisms.
Researchers have never doubted that Specter could misused for browser-based hacks. Every program running on a computer executes its instructions and processes its data through the computer’s processor and memory, making all that information potentially vulnerable to speculative execution attacks. That includes browsers, which load data from web servers and then render the content on individual users’ devices through a local function called a rendering engine. A Specter browser hack would essentially launch an attack from a web page that a victim visits to collect data from other opened pages. Such hacks can even be used to impersonate a target to get more of their data from web apps they are logged into.
In the years since the initial Specter and Meltdown revelations, that particular type of attack has never been seen in the wild, and it was unclear how practical the method would be. Google’s proof-of-concept against its own Chrome browser not only illustrates its feasibility, but also hints at strategies for both browsers and web developers to more comprehensively protect against such attacks.
“When I shared the exploit with the Chrome security team and the product security team, everyone thought, ‘Okay, wow, it’s very clear that this is the impact,’ said Stephen Röttger, security engineer at Google. Lots of decisions made to spend more resources rolling out Specter defenses in our web frameworks. “
In recent years, Chrome and other mainstream browsers have implemented a practice called ‘site isolation’ of displaying web pages individually and isolating their data from each other. Since Specter attacks are all about getting a processor to leak data at an appropriate time, site isolation makes it much more difficult for a hacker to get their hands on the sensitive information they want, since the data isn’t all in the same place. place through the processor. at the same time. Browsers have also added related defenses to load components of a single website separately (such as a company’s own logo versus third-party ads) and to prevent data from flowing in both directions between two pages when reciprocity is not essential.
These types of defenses cannot completely stop Specter attacks. Instead, they reduce the likelihood that a bad actor could pull useful or private information from the processor if they launch such a hack. The proof-of-concept from Röttger and his colleagues reveals more nuanced ways in which browsers, including Chromium-based browsers such as Microsoft Edge, can implement these types of defenses. But it also highlights the ways web developers can design their platforms and applications differently to maintain functionality and lock user information even more strategically.
“We think we’ve got our heads down on what developers need to do to protect themselves and that the range of things they need to do is not astonishingly wide,” said Mike West, chief of Chrome platform security and co-chair of the World Wide. Web Consortium web working group on application security. “The real thing, and the reason the browsers can’t do it on behalf of the developer, is that the decisions to be made are application-specific. They’re going to involve an analysis of the things your server is offering on the Internet and the ways those things should be offered. “
Google is collaborating through W3C, an international standards body, to propose guidelines and best practices for browsers and web developers alike. The strategy has worked for Google before, such as in its effort to help put the needle on massive initiatives like promoting HTTPS web encryption. But West recognizes that it takes time to get the entire web community on board with these kinds of structural changes.