7

I see that Chrome and Mozilla have added mitigations into their javascript engines for the Spectre vulnerabilities (CVE-2017-5753 & CVE-2017-5715). However I cant find anything regarding javascript engines that run on the JVM for example Rhino and Nashorn.

Is there any reason to think that these javascript engines are not capable of executing code that exploits the vulnerability?

Thanks

Jamesy82
  • 173
  • 4
  • fwiw, the JS exploits i've seen use the browser timing API, which is not present on rhino (not sure about nashorn, but i'm doubtful). There's might be another proprietary hi-res timer api available to them, not sure, but they are also a LOT slower than the JIT engines browsers/nodejs run, so they might not have enough raw omph even with a a fast timing API. – dandavis Jan 05 '18 at 20:18

2 Answers2

2

Exploiting Spectre (and Meltdown) requires the ability to time things with reasonably high precision (on a modern CPU, in the tens of nanoseconds range). Javascript engines that don't do JIT compiling don't provide the precision needed to do this.

Mark
  • 34,390
  • 9
  • 85
  • 134
2

The current JavaScript engine in OpenJDK is interpreted, which makes these kinds of attacks difficult. The speculative execution is limited and the timings to detect the cache change tight. It doesn't seem a high bandwidth attack in the best of cases.

However, expect to be surprised. The speculative execution could happen in one step without going back to the JavaScript. As JavaScript has relatively free reign over the Java library, perhaps there's something in there that could do the timing as a side-effect.

On the third hand, if I was developing an exploit for fun or profit (I'm not), I'd choose a much easier and worthwhile target.

Tom Hawtin - tackline
  • 284
  • 2
  • 11