Security: Partial Spectre Exploit
Reported by
alephres...@gmail.com,
May 29 2018
|
||||||||||
Issue descriptionVULNERABILITY DETAILS This is a research we conducted for overcoming Spectre browser mitigations and exploiting it with the implemented mitigations in place. This POC is not a full Spectre exploit as we weren’t able to access “secret” memory inside a speculatively executed branch but we were able to time cache access and conclude whether some memory is in the CPU cache or not. We inserted memory into the cache based on a known value that was accessed inside a speculatively executed branch. In the Chrome browser, Spectre mitigations were implemented to both disable the ability to understand whether a memory address is in the CPU cache or not, and to prevent access to “secret” data in speculatively executed branches. We show that although we can’t access “secret” data in speculatively executed branches, we can query the CPU cache state of memory that was affected inside a speculatively executed branch. Reducing the timer resolution and adding jitter maybe relevant for other cache attacks in the browser but these mitigations added for Spectre specifically are only good at slowing down the attack and do not prevent it. As such it seems like for a mitigation that hurt the functionality required by a lot of JS applications/games it can be considered to be reverted or if it is important enough to be hardened. We plan to publish this research and would like to ask whether any fix will be implemented and if so to have a timeline for such fix. To activate the POC please extract the archive attached and open the HTML file in the browser. Open the JS console for output and click the button. The code itself contains a lot of documentation regarding what it does and how it works. Please note that the attached code is intended to work on multiple types of browsers. Regards, Noam & Jonathan Aleph Security VERSION Chrome Version: 66.0.3359.139 Operating System: OS X 10.13.4 Chrome Version: 66.0.3359.181 Operating System: Windows 10 Version 1709 (OS Build 16299.431)
,
May 29 2018
Indeed, we know that the mitigations are insufficient, and we do have a better solution on the way: Site Isolation. (See https://chromium-review.googlesource.com/c/chromium/src/+/1065147, which will probably land in the tree today.) Site Isolation is currently scheduled to be enabled by default on Desktop platforms in Chrome 67, and Android some time later. You can turn it on manually in earlier Chrome versions by going to chrome://flags/#enable-site-per-process and setting it to yes. And indeed, we do plan to re-enable full functionality when and where Site Isolation is on by default. The comment in your code: """ * This POC shows that while the performace.now() resolution reduction and jitter added as Spectre mitigations are very effective at slowing * down Spectre expolits, they do not actually help to prevent them. The actual prevention is done by index masking and/or process site isolation. """ is in line with our expectations. When are you going to publish?
,
May 30 2018
Thanks for the fast response. We are still waiting for other browser vendors to respond, we'll keep you updated on the publish date as soon as they respond.
,
May 30 2018
Hello, I had a peek at the code provided. We're aware of timer amplification techniques similar to that provided in the PoC. As Chris says, we (including the other browser vendors, as we have regular communication with them regarding Spectre attacks) are aware that timer mitigation techniques are insufficient. Site isolation is our newest line of defense for these type of attacks and is rolling out as we speak :)
,
May 30 2018
,
Jun 1 2018
palmer: Could you help assign a severity and impact labels once again? :)
,
Jun 1 2018
,
Jun 2 2018
,
Jun 12 2018
Hi, Thanks again for the prompt responses. We plan to publish this research in 2 weeks from now on June 26th unless this conflicts with any planned specific fixed for this issue? I understand it is considered a low severity issue which is not planned to be specifically addressed with a fix. Is that correct? Regards Jonathan
,
Jun 12 2018
#9: I don't see a conflict, no. Our planned fix is Site Isolation, and it's shipping in current Stable (67; desktop platforms only) and it looks like we won't have to roll it back. Which is good! On Android, we will retain the clock attenuation until we get Site Isolation on by default there, too. We feel OK with the documented limitations of clock attenuation, and it sounds like our documentation is line with yours on that.
,
Jun 29 2018
This is public now at https://alephsecurity.com/2018/06/26/spectre-browser-query-cache/. Nice work! Marking this bug allpublic since it is. I don't think there's anything left for us to do but continue on with Site Isolation, and we can't get rid of enough clock precision to really win that way. For that reason I'm going to WontFix this. Thanks again for the report!
,
Jul 3
Issue 859832 has been merged into this issue. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by creis@chromium.org
, May 29 2018