A group of researchers from American, Australian and Israeli universities reported that described a new attack technique that allows to exploit vulnerabilities Specter class on Chromium-powered browsers.
The attack, codenamed Spook.js, allows when executing JavaScript code bypass the site isolation mechanism and read the content of the entire address space of the current process, that is, access the data of the pages that are executed in other tabs, but that are processed in the same process.
Since Chrome launches different sites in different processes, practical attacks are limited to services that allow different users to host their pages. The attack method of Spook.js makes it possible from a page in which an attacker can embed his JavaScript code, determine the presence of other pages opened by the user of the same site and extract confidential information of them, for example, credentials or bank details replaced by the autocomplete system in web forms.
Another application of the method is an attack on browser plugins, which allows, when an attacker-controlled plug-in is installed, to extract data from other plug-ins.
Spook.js is applicable to any browser based on the Chromium engine, including Google Chrome, Microsoft Edge, and Brave. The researchers also believe that the method can be adapted to work with Firefox, but since the Firefox engine is very different from Chrome, the work of creating such an exploit is left to the future.
To protect against attacks related to speculative execution of instructions through the browser, address space segmentation is implemented in Chrome: sandbox isolation allows JavaScript to work only with 32-bit pointers and shares the memory of the controller in non-overlapping 4GB stacks.
To organize access to the entire address space of the process and avoid the 32-bit limitation, the researchers used the type confusion technique, which allows the JavaScript engine to process an object with the wrong type, making it possible to form a 64-bit code based on a combination of two 32-bit values.
The essence of the attack is that by processing a specially crafted malicious object in the JavaScript engine, conditions are created that lead to the speculative execution of instructions that access the array. The object is selected in such a way that the fields controlled by the attackers are placed in the area where the 64-bit pointer is used.
Since the type of malicious object does not correspond to the type of array being processed, under normal conditions such actions are blocked in Chrome by the deoptimization mechanism of the code used to access the arrays. To solve this problem, the Type Confusion attack code is placed in an "if" conditional block, which does not fire under normal conditions, but runs in speculative mode, if the processor incorrectly predicts more branches.
As a result, the processor speculatively accesses the generated 64-bit pointer and reverts the state after determining the failed prediction, but the execution traces are set to the shared cache and can be restored using methods to determine the contents of the cache through third-party channels, analyzing the change in access time to cached and non-cached data.
To analyze the content of the cache in the conditions of insufficient precision of the timer available in JavaScript, a method proposed by Google is used that tricks the Tree-PLRU cache data eviction strategy used in processors and allows, by increasing the number cycles, to significantly increase the time difference in the presence and absence of a value in the cache.
Researchers have released a prototype exploit that works in Chrome 89 en systems with Intel i7-6700K and i7-7600U. The exploit was created using prototypes of JavaScript code previously published by Google to carry out Specter attacks.
Finally the researchers mention that managed to prepare working exploits for systems based on Intel and Apple M1 processors, which are given the opportunity to organize the memory read at a speed of 500 bytes per second and an accuracy of 96%. The method is supposed to be applicable to AMD processors, but it was not possible to prepare a fully functional exploit.
Source: https://www.spookjs.com