Google has released their proof-of-concept code announcing the practical use of Specter in JavaScript engines of modern web browsers. The code is there and you can even try it on the leak. page website.
Google’s Leaky.Page code shows that it is possible to leak data at about 1 kB / s when using their Chrome web browser on a Skylake CPU. The proof-of-concept code applies to Intel Skylake processors, while it should work for other processors and browsers as well, with minor tweaks to the JavaScript. Google also manages to execute this Leaky.Page attack on Apple M1 ARM CPUs without any major changes.
Google also has prototypical code that can leak data at a rate of 8 kB / s, but with lower stability. On the other hand, they have a proof-of-concept code with JavaScript timers that can leak at 60B / s.
Google’s Leaky.Page PoC is a Specter V1 device that is a JavaScript array that is speculatively out of bounds. Although the V1 device can be softened at the software level, Chrome’s V8 team found that other devices, such as for Specter Variant 4, are “simply unworkable in software” to soften.
Learn more about Google’s latest Specter findings via the Google Security Blog. The proof-of-concept Specter code can be found at leaky.page.
The W3C meanwhile released a draft version of Web Developer Recommendations around Specter this week.