It was more more than three years since researchers unveiled some security issues, known as Specter and Meltdown, that have revealed fundamental flaws in the way most modern computer processors handle data to maximize efficiency. Although it affects an astronomical number of computer devices, the so-called speculative execution errors are in practice relatively difficult to exploit. But now Google researchers have developed a proof of concept that demonstrates the danger that Specter attacks pose to the browser – hoping to motivate a new generation of defense.
Researchers have never doubted Specter could is used for browser-based hacks. Each program executed on a computer executes the instructions and crunches the data through the processor and memory of the computer, making all the information potentially vulnerable to speculative execution attacks. It includes browsers, which load data from web servers and then display the content on devices of individual users through a local feature called a version engine. A Specter browser hack would in fact launch an attack from one web page that the victim visits to retrieve data from other pages they open. Such hacks can even be used to pretend a target to retrieve more of their data from the web applications to which they are logged.
In the years since the first revelation of Specter and Meltdown, that particular type of attack has never been seen in the wild, and it was unclear how practical the method would be. Google’s proof of concept against its own Chrome browser not only illustrates the feasibility, but also suggests strategies for browsers and web developers to more comprehensively guard against such attacks.
“When I shared the exploitation with the Chrome security team and the product security team, everyone at that point was ‘OK, wow, it’s very clear that this is the impact,'” said Stephen Röttger, security engineer at Google. “Based on that, we’ve made a lot of decisions to use more resources to implement Specter Defense across our web frameworks.”
Over the past few years, Chrome and other mainstream browsers have implemented a practice called ‘site isolation’ to display web pages separately and silo their data from each other. Since Specter attacks are all aimed at prompting a processor at a convenient moment to leak data, isolating the site makes it much more difficult for a hacker to seize the sensitive information they want, since the data does not all flow through the processor in the same place. at the same time. Browsers have also added related defenses to load components of a single website separately (such as a company’s own logo against third-party ads) and to prevent data flowing in both directions between two pages if reciprocity is not necessary.
This kind of defense can not completely stop Specter attacks. Rather, it reduces the chance that a bad actor could record useful or private information from the processor if they start such a hack. The draft evidence from Röttger and his colleagues reveals more nuanced ways in which browsers, including Chromium-based browsers like Microsoft Edge, can implement this kind of defense. But it also highlights the ways in which web developers can architecture their platforms and applications differently to retain functionality while locking in user information even more strategically.
“We think we’ve turned our heads over what developers need to do to protect themselves and the number of things they need to do is not astonishingly large,” said Mike West, head of Chrome platform security and chairman of the World Wide Web Consortium-web. application security workgroup. “The real work, and the reason that browsers cannot do it on behalf of the developer, is that the decisions that have to be made are application specific. They are going to involve an analysis of the things your server offers to the internet, and the ways in which these things should be presented. ‘
Google works through W3C, an international standard setting, to propose guidelines and best practices for browsers and web developers. The strategy has worked for Google before, as in the effort to help promote massive initiatives such as promoting HTTPS web coding. But West acknowledges that it takes time to get the entire web community on board with these types of structural changes.