Cyber Security

Spectre attacks against websites still a serious threat, Google warns

Three years after the infamous Spectre vulnerability was discovered, hackers can still exploit the security flaw in order to force web browsers to leak information, Google’s security team warns.

The problem has arisen despite extensive efforts by browser developers to harden their software against Spectre-style attacks.

The results of the research was published on the Google Security Blog on Friday (March 12) and include a proof-of-concept exploit written in JavaScript that still works against several browsers, operating systems, and processors.

The key lesson from the research is that Spectre still haunts the industry – so developers need to deploy application-level mitigation measures in order to guard against potential attacks.

The Spectre vulnerability

First reported in 2018, the Spectre vulnerability and its twin, Meltdown, both take advantage of flaws in the optimization features of modern CPUs in order to circumvent the security mechanisms that prevent different processes from accessing each other’s memory space.

The Spectre vulnerability allowed a wide range of attacks against different types of applications, including web apps. Hackers can potentially exploit the flaws to extract sensitive information across different websites in a browser by exploiting how different applications and processes interact with processors and on-chip memory.

While newer CPUs have mitigated the Spectre vulnerability at the hardware level, there’s a need for software-based mitigations as many devices still use pre-Spectre processors.

Along with cloud providers and operating system vendors, the developers of web browsers have been putting in efforts to protect users against Spectre attacks.

Their measures include browser protection options such as site isolation and out-of-process iframes, alongside security features that web developers can use to control the origin of resources used in websites.

“These mechanisms, while crucially important, don’t prevent the exploitation of Spectre; rather, they protect sensitive data from being present in parts of the memory from which they can be read by the attacker,” the Google Security Team explains.

Hacking the browser

The proof-of-concept (PoC) developed by the Google Security Team exploits the JavaScript engine on Chrome, but the researchers said the same issue applies to other browsers as well.

The PoC is based on a gadget that exploits the “variant 1” Spectre vulnerability across a side-channel that observes the side-effect of the attack.

Variant 1 Spectre, also known as the “bounds check bypass attack”, manipulates the speculative execution mechanisms of processors to access out-of-bounds memory locations.

Side-channels that steal secret data from speculative execution attacks such as Spectre use timing attack techniques to determine the location of the target data. Modern browsers reduce the granularity of their time-measurement functions to prevent such attacks.

The Google Security Team developed a new technique that overcomes this limitation and leaks data with low-precision timers.

Advertisement. Scroll to continue reading.

The researchers published a demo of their PoC online:

https://youtube.com/watch?v=V_9cQP60ZGI%3Forigin%3Dhttps%3A

“While we don’t believe this particular PoC can be re-used for nefarious purposes without significant modifications, it serves as a compelling demonstration of the risks of Spectre,” the researchers conclude.

“In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites.”

Web developers urged to act

Short of hardware changes and firmware updates, there’s no easy way to develop a comprehensive fix for speculation execution vulnerabilities such as Spectre, the Google Security Team warns.

“Web developers should consider more robustly isolating their sites by using new security mechanisms that actively deny attackers access to cross-origin resources,” the blog post states.

Last year, Google Security published a comprehensive guide on mitigation techniques for different Spectre-style hardware attacks and common web-level cross-site leaks.

But the suggested methods require developers to assess the threat these vulnerabilities pose to their applications and understand how to deploy them, the Security Team notes.

The task is far from straightforward.

To further assist web developers, the Chrome security team has published a lengthy guide on hardening web applications against Spectre attacks.

The guidelines focus on controlling and limiting cross-origin resource sharing and interactions between websites.

The Google Security Team warns that, even if applied rigorously, the mitigation techniques don’t guarantee complete protection against Spectre

“They [the mitigations] require a considered deployment approach which takes behaviors specific to the given application into account,” the researchers advise.

Source: https://portswigger.net/daily-swig/spectre-attacks-against-websites-still-a-serious-threat-google-warns

Click to comment

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version