It has been more more than three years since researchers revealed a couple of security vulnerabilities, known as Specter and Meltdown, that revealed fundamental flaws in the way most modern computer processors manage data to maximize efficiency. Although they affect an astronomical number of computing devices, so-called speculative execution errors are relatively difficult to exploit in practice. But now Google researchers have developed a proof of concept that shows the danger posed by Specter attacks to the browser, hoping to motivate a new generation of defenses.
Researchers have never doubted this Specter I could be exploited for browser-based hackers. All programs running on a computer execute its instructions and restrict their data through the computer’s processor and memory, making all this information vulnerable to speculative execution attacks. This includes browsers, which load data from web servers and then display the content to individual users’ devices using a local feature called a rendering engine. A Specter browser hacker would essentially launch an attack from a website that a victim visits to get data from other pages they have open. These hacks could even be used to impersonate a target to remove more of their data from the web applications they have logged into.
In the years since the initial revelations of Specter and Meltdown, this type of attack had never been seen in the wild and it was unclear how practical the method would be. Google’s proof of concept against its own Chrome browser not only illustrates viability, but also hints at strategies so that browsers and web developers can more fully protect themselves against these attacks.
“When I shared the exploit with the Chrome security team and the product security team, at that point everyone was saying to me,‘ Okay, come on, it’s very clear that’s the impact, ’” he says. Stephen Röttger, Google’s security engineer, “Based on that, we made a lot of decisions to allocate more resources to deploying Specter’s defenses across our web frameworks.”
In recent years, Chrome and other major browsers have implemented a practice called “site isolation” to represent separate web pages and separate their data from each other. Because Specter attacks involve inducing a processor to filter data at a timely time, site isolation makes it much more difficult for a hacker to obtain the sensitive information they want, as the data does not flow through. of the processor in the same place. at the same time. Browsers have also added related defenses to load components from a single website separately (such as a company’s own logo versus third-party ads) and to prevent data from flowing in both directions between two pages when reciprocity it is not vital.
Such defenses cannot stop Specter attacks altogether. Instead, they reduce the chances that a bad actor can get useful or private information from the processor if he launches this hack. Proof of concept by Röttger and colleagues reveals more nuanced ways that browsers, including Chromium-based browsers such as Microsoft Edge, can implement such defenses. But it also highlights the ways in which web developers could architect their platforms and applications differently to preserve functionality and block user information even more strategically.
“We think we’ve surrounded the head of what developers have to do to protect themselves and the set of things they have to do isn’t surprisingly large,” says Mike West, head of security for the Chrome platform and co-chair of the World website. Wide Web Consortium application security working group. “The real work and the reason why browsers can’t do it on behalf of the developer is that the decisions that need to be made are application-specific. They will involve an analysis of the things that your server offers on the Internet and the ways in which these things are to be offered. “
Google works through the W3C, an international standards body, to propose guidelines and best practices for both browsers and web developers. The strategy has already worked for Google, as in its effort to help move the needle in massive initiatives such as the promotion of HTTPS web encryption. But West recognizes that it takes time to incorporate the entire web community with these kinds of structural changes.