Security: Spectre PoC and test in Chrome 88 browser

[German]Google published a proof of concept (PoC) this week on how the Specte vulnerability can be exploited via JavaScript in the Chrome browser. Hence, some information and a little gimmick on how to test it.


Advertising

The Spectre vulnerability

It was the security topic par excellence that kept us busy in May 2018. Researchers, among others from TU-Graz, had discovered mechanisms to execute attacks on actually protected memory areas in computers and read out information. This is based on the theoretical principles that are known as Meltdown and Spectre in various research documents (from the University of Graz, among others).

  • Spectre  (variants 1 and 2): This breaks the isolation between different applications. It allows an attacker to trick bug-free programs that follow best practices into revealing their data. In fact, best practices security checks actually increase the attack surface and can make applications more vulnerable to Spectre. This vulnerability exists on all CPUs, according to current knowledge.
  • Meltdown (Variant 3): This breaks the basic isolation between user applications and the operating system. This attack allows a program to access the memory and thus also the data of other programs and the operating system. To the best of our knowledge, this vulnerability only exists on Intel CPUs.

The PDF documents concerned can be accessed via the links. Information can also be found at meltdownattack.com.

Google presents proof of concept

Google has published a proof of concept (PoC) as JavaScript code to demonstrate the practicality of using Spectre exploits. These can target from web pages via the web browser to access information from a browser's memory or system. Colleagues at Bleeping Computer described the details in this article.

A test in Google Chrome 88?

I just came across a website via Twitter where someone is exploiting the Spectre vulnerability in CPUs in JavaScript to demonstrate the attack. Didn't want to keep it from you – in case someone wants to test their system.

Spectre Test


Advertising

All that is needed is a Google Chrome browser version 88 or higher (Edge should do as well) and JavaScript must be allowed. Just click on the image above to open this web page.  Then you can switch between the demo pages at the bottom via prev and next and start a test. The run button can be found in the left column when scrolling down. Is however everything from the descriptions in English held – and on my system I could determine with short tests nothing meaningful from my CPU memory. The attempts with the memory accesses ended with an error – my Quad-Core-CPU is probably too old for such a crap and rejected it all ;-).


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).