13

Is a system vulnerable where the only untrusted code is interpreted, JIT'd, or executed in a VM as bytecode?

Does it depend on the language? Compiler?

Or, do attacks depend on the attacker loading very specific, compiled instructions onto the machine?

As it's been pointed out, the JavaScript on a web page can theoretically perform an attack.

Is this because V8 and company generate specific machine instructions that can be carefully tailored? Are the vulnerabilities in the JITing? The VM's? Or can any Turing-complete language mount an attack? ... Where's the line?

svidgen
  • 711
  • 5
  • 13
  • I would *love* to see an implementation of Spectre written in [Malbolge](https://en.wikipedia.org/wiki/Malbolge). – Mark Jan 05 '18 at 00:58

1 Answers1

13

No, interpreted or JIT'd code is also vulnerable

According to multiple sources, the attack can be exploited via JavaScript in browsers. An excerpt from the Windows Blogs on Microsoft:

Today, Google Project Zero published details of a class of vulnerabilities which can be exploited by speculative execution side-channel attacks. These techniques can be used via JavaScript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process.

From Chromium Security:

This research has implications for products and services that execute externally supplied code, including Chrome and other browsers with support for JavaScript and WebAssembly.

And from the Mozilla Security Blog:

Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes.

These days, JavaScript is quite advanced with the advent of things like Node.js and WebAssembly, and can arguably be considered lower level than it was in previous years.

The three aforementioned browser vendors have taken precautions against the vulnerability:

rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
  • 1
    Is there something about the way browser compile code that enable this? I.e., can an attack be mounted because V8 and company all generate a very particular set of machine instructions? Or, can any Turing-complete language be used to mount an attack? ... where's the line? ... (OP is updated to reflect that question clarification.) – svidgen Jan 04 '18 at 19:05
  • 1
    JIT'd Javascript is vulnerable, but I haven't seen anything to indicate that fully-interpreted Javascript is. – Mark Jan 04 '18 at 19:16
  • 2
    Timing for interpreted (not JIT) languages is probably not high-resolution enough to time cache misses/branch mispredictions. Any language & implementation that allows high-resolution timing should allow some variant of these attacks. – David Jan 05 '18 at 00:37
  • The resolution reduction patches for browsers etc. were obsolete before they were introduced: one team just spawned a second thread doing the equivalent of `volatile uint64_t i; while (true) ++i;` for counting. – mirabilos Jan 05 '18 at 17:44
  • Re your last paragraph: Is there an equivalent link/bullet for Safari just yet? – Drux Jan 08 '18 at 21:43