New issue
Advanced search Search tips

Issue 878508 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 29
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Spectre javascript PoC (in the wild) works on default chrome settings for latest

Reported by idel...@gmail.com, Aug 28 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Spectre (widespread issue with Speculative Execution) has been found to be active on the latest version of chrome. This is using the SharedArrayBuffer 'Default' settings in chrome://flags.

This has an easy fix, and the default behaviour should probably be to disable shared array buffers by default in the settings. Ideally this should be forced, but I do understand if you don't - but I'm not quite sure what this would break.

VERSION
Chrome Version: 67.0.3396.87 (official Build) (64-bit)
Operating System: Fedora Linux 27, 4.16.15-200.fc27.x86_64

REPRODUCTION CASE
I used the code from this github repo: https://github.com/ascendr/spectre-chrome
This was loaded into a local directory off which chrome read the 'check.html' page. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
N/A
Screenshot_2018-08-28_19-49-53.png
120 KB View Download
Screenshot_2018-08-28_19-44-37.png
82.5 KB View Download

Comment 1 by idel...@gmail.com, Aug 28 

PS - I was wondering if this would be a more workable solution: disable by default, and allow for selective re-enabling by checking if the source domain has CSP enabled? This would mean that XSS is effectively mitigated (assuming it is configured correctly) and so short of a website 'going rogue' you would have a significantly reduced risk of exploitation using spectre by re-enabling SharedArrayBuffers. 

Just an idea :P I'll have a think about it. 

Many thanks for your time, 

M.

Comment 2 by tsepez@chromium.org, Aug 29

Status: WontFix (was: Unconfirmed)
We believe site isolation to be the mitigation for Spectre in general, and the notion that XSS -> Spectre against a specific site-instance seems to be a secondary consequence of XSS. Given an XSS on the site itself, one can likely accomplish whatever is desired without the need for Spectre.

As such, we're still comfortable with the current shared array buffer policy.

Comment 3 by idel...@gmail.com, Aug 29 

Ok, no worries :) can I release a public advisory on the topic to raise awareness? I imagine people may want to fix this. 

Many thanks for your time! M.

Comment 4 by tsepez@chromium.org, Aug 29 

Sure, also note that  https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md#Site-Isolation has more information about our responses to spectre.

Comment 5 by idel...@gmail.com, Aug 29 

Ok, cheers! Many thanks for your time and help. A much clearer picture has been made of what you're looking for. :D

Many thanks! Hope you have a good week. :)

M.
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 6

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment