Some of the protections against the Spectre CPU vulnerability introduced in modern browsers can be defeated, security researchers revealed this week.
According to research published by Aleph Security on Tuesday, the company’s researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser’s protected memory.
The browsers were running a version that received mitigations against such attacks, researchers said.
The Aleph team says their PoC bypassed Spectre mitigations and retrieved data from browsers such as Edge, Chrome, and Safari. They were not able to retrieve browser memory data from Firefox, mainly because of a different type of mitigation Mozilla had used for its browser.
Researchers bypass Spectre v1 in-browser protections
More precisely, researchers bypassed the in-browser mitigations introduced to fend off the Spectre v1 CPU vulnerability, the only one of the Meltdown and Spectre bugs that could be exploited via a web browser.
Variant 1: bounds check bypass (CVE-2017-5753) aka Spectre v1
Variant 2: branch target injection (CVE-2017-5715) aka Spectre v2
Variant 3: rogue data cache load (CVE-2017-5754) aka Meltdown
Variant 3a: rogue system register read (CVE-2018-3640)
Variant 4: speculative store bypass (CVE-2018-3639) aka SpectreNG
Back in January, when the first three Meltdown and Spectre flaws became known, browser makers introduced various types of protections inside their products.
Mitigations against Spectre v1 have been rolled out and incorporated in Firefox, Chrome, Chromium, V8, Webkit (Safari), and Edge and IE. Mitigations vary from project to project, but in short, they are:
1〉 Index masking of array objects
2〉 Site-Isolation feature in Chromium-based browsers
3〉 Disabling SharedArrayBuffer
4〉 Reducing precision of performance.now() timers
5〉 Adding jitter to the response of performance.now()
Edge, Chrome, Safari protections defeated
But Noam Hadad and Jonathan Afek, two security researchers with Aleph Security, said they were able to find a way around the index masking mitigation (1), data timing mitigations (3 & 4) and jittered timer outputs (5).
The two put together proof-of-concept code —also shared on GitHub— that defeats the above mitigations and retrieves data from a browser’s protected memory —data that a malicious page should not be able to access under normal circumstances.
“In [our] research we were able to show that even with the implemented Spectre mitigations, we were able to (1) read speculatively accessed memory in Chrome at around 1 bit per second; (2) Read accessed memory in Edge (not speculatively accessed) at around 1 bit per second; and (3) read accessed memory in Safari (not speculatively accessed) at around 1 bit per second,” Hadad and Afek said.
“We were not able use these techniques in Firefox, as they recently reduced the timer resolution to 2ms,” the researchers said.
Data that can typically be stolen with Spectre v1 attacks includes information shared by different pages and browser processes, such as HttpOnly cookies, cookies of other origins, saved passwords, and more.
Better mitigations needed
The PoC exfiltrates data at very slow speeds, but researchers did not develop it for offensive purposes. The research only probed the effectiveness of the Spectre in-browser patches.
“This research shows that while the timing mitigations implemented in different browsers are effective at dramatically slowing down Spectre-like attacks, they are not effective at preventing them,” the duo said.
“This means that more robust solutions are required, such as site-isolation and index masking,” Hadad and Afek recommended.
“These timing mitigations are hurting performance and functionality for some web applications, and taking into account their limited effectiveness, reverting them should be considered,” the tow added.
Last week, Forcepoint researchers also warned that planned changes in the WebAssembly standard could accidentally negate some of the mitigations browser makers introduced in their browsers.