It's been more than three years since researchers disclosed a pair of security vulnerabilities, known as Spectre and Meltdown, that revealed fundamental flaws in how most modern computer processors handle data to maximize efficiency. While they affect an astronomical number of computing devices, the so-called speculative execution bugs are relatively difficult to exploit in practice. But now researchers from Google have developed a proof-of-concept that shows the danger Spectre attacks pose to the browser—in hopes of motivating a new generation of defenses.
Researchers have never doubted that Spectre could be exploited for browser-based hacks. Every program running on a computer executes its instructions and crunches its data through the computer's processor and memory, making all of that information potentially vulnerable to speculative execution attacks. That includes browsers, which load data from web servers and then display the content on individual users' devices through a local feature called a rendering engine. A Spectre browser hack would essentially launch an attack from one web page a victim is visiting to grab data from other pages they have open. Such hacks could even be used to impersonate a target to pull down more of their data from web apps they're logged into.
In the years since the initial Spectre and Meltdown revelations, that specific type of attack has never been seen in the wild, and it was unclear how practical the method would be. Google's proof-of-concept against its own Chrome browser not only illustrates feasibility, but also hints at strategies for both browsers and web developers to guard more comprehensively against such attacks.
“When I shared the exploit with the Chrome security team and the product security team, at that point everyone was like, ‘OK, wow, it’s very clear this is the impact,’” says Stephen Röttger, security engineer at Google. “Based on this we made a bunch of decisions to put more resources into rolling out Spectre defenses across our web frameworks.”
Over the last few years, Chrome and other mainstream browsers have implemented a practice called "site isolation" to render web pages separately and silo their data from each other. Since Spectre attacks are all about inducing a processor to leak data at an opportune moment, site isolation makes it much more difficult for a hacker to grab the sensitive information they want, since the data isn't all flowing through the processor in the same place at the same time. Browsers have also added related defenses to load components of a single website separately (like a company's own logo versus third-party ads) and to block data from flowing in both directions between two pages when the reciprocity isn't vital.
These types of defenses can't stop Spectre attacks altogether. They instead reduce the chances that a bad actor could grab any useful or private information from the processor if they do launch such a hack. The proof-of-concept from Röttger and his colleagues reveals more nuanced ways that browsers, including Chromium-based browsers like Microsoft Edge, can implement these types of defenses. But it also highlights the ways that web developers could architect their platforms and applications differently to preserve functionality while locking down user information even more strategically.
“We think we have wrapped our heads around what developers need to do to protect themselves and the set of things they need to do is not astoundingly large,” says Mike West, head of Chrome platform security and cochair of the World Wide Web Consortium web application security working group. “The real work, and the reason that the browsers can’t do it on the developer’s behalf, is that the decisions that need to be made are application-specific. They’re going to involve an analysis of the things your server offers to the internet and the ways in which those things ought to be offered.”
Google is working through W3C, an international standards body, to propose guidelines and best practices for both browsers and web developers. The strategy has worked for Google before, as in its effort to help move the needle on massive initiatives like promoting HTTPS web encryption. But West acknowledges that it takes time to get the entire web community on board with these types of structural changes.
Other browser makers like Mozilla have been working on Spectre defenses as well over the last few years. Neha Kochar, senior engineering manager at Mozilla, says that as a result of these protections, Firefox would not be vulnerable to the proof-of-concept exploit Google researchers developed for Chrome.
“Nevertheless, having another demonstrable PoC of the Spectre exploit is definitely appreciated as it helps our open source community to build upon and find any other possible security improvements for all browsers,” Kochar says. “Mozilla joins Google in enthusiastically encouraging web developers to secure their sites with new web standards.”
Apple, which develops the Safari browser, says that an attack like the one demonstrated in Google’s proof-of-concept Chrome exploit doesn’t pose an immediate risk to macOS users. A spokesperson told WIRED, though, that the research is important for expanding the community’s understanding of these threats.
Mozilla, Google, and other major browser developers have already worked on a number of site isolation and data siloing standards—like a cluster known as CORP, COOP, and COEP—for browsers and web developers. Microsoft declined to comment; Apple did not provide a comment by press time.
Google's push for additional Spectre defense recommendations is still under preliminary consideration through W3C. Given that Spectre exploitation has not become a massive, endemic problem in the wild yet, community collaboration to get ahead of the potential exposure could avert mass exploitation issues later—a major contribution given how many such situations the incident response community is already facing.
Updated March 12, 2021 at 3:45pm ET to include comment from Apple.