On Friday, Google released proof-of-concept code for conducting a Spectre-based attack on its browser (Chrome). This was a way for the company to show how web developers can protect themselves from browser-based side-channel attacks.

The code was posted to GitHub. A detailed look shows how an attacker can pull data from device memory at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU.

The attack, it seems, should work on other browsers as well, even the ones running on Apple’s Arm-based M1 chips. The code triggers a timing attack.

How it happens

The attacker observes the time required to access memory and uses that information to know whether the target address is in the cache or needs to be loaded, depending on whether the operation happened quickly or slowly.

With this information, an attacker can use a Specter gadget (described as a code structure in memory) to test a JavaScript array and retrieve cached data. The potential here is that an attacker can exfiltrate sensitive information like secrets or keys.

Google also put up a webpage that shows the side-channel data leakage. You can view it here.

More on how it works

The Spectre vulnerability was disclosed to the public back in January 2018. It uses some CPU design vulnerabilities which an attacker can change to redirect program control flow while the CPU is speculatively working on the instructions that follow.

For instance, a CPU may speculate inaccurately that a memory length check passes, even though the instruction path goes to an out-of-bounds memory access.

Even though the CPU state is rolled back when the misprediction is noticed there are side effects that can leak data to an attacker.