2

If you have looked into this demo of Spectre in JavaScript: Did I get it right that only current site memory can be accessed, due to site isolation etc? I saw there is also an addon to detect attackts (Spectroscope). Can somebody describe the potential impact of it? If I visit a site attacking me via Spectre and they can only get that site info (site isolation) what is the threat?

Anders
  • 64,406
  • 24
  • 178
  • 215
dev
  • 937
  • 1
  • 8
  • 23

2 Answers2

1

Received the answer from the original author about it:

"This attack only leaks the memory from the same process, not from the kernel.

There are two reasons why this can be an issue in practice:

  1. The javascript of https://foo.example.com and https://bar.example.com can run in the same process => one can leak memory from the other and

  2. The web allows you to include resources on your page from other origins (e.g. <img src=//example.com/foo.png>) which means these resources can end up in the attacker process as well. While the browsers have some default mitigations (same-site cookies, CORB), they can't block everything as it would break many existing websites. So for some resources, the website owners need to mark them as "don't allow including cross-origin" using CORP or fetch metadata."

dev
  • 937
  • 1
  • 8
  • 23
0

That is an incorrect assumption. Right from the Meltdown/Spectre website:

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.

A vulnerability in the CPU architecture (this is not a browser vulnerability) is not aware of or limited by arbitrary boundaries such as site isolation, as it is at a much lower level. Memory of other processes can be read, or even from the kernel. It is a major violation of the process isolation-based security model that many things rely on.

For more information, I recommend reading the above linked website, and the research paper. There are also plenty of ELI5 posts out there if that's too deep.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Thanks. Was interested more about impact of Spectre implementation with JavaScript (browser based). Theoretically you can leak secrets, but was wondering how feasible it is. I think in their PoC they leaked JS Array from the website itselft code. Wondering how hard would be to leak something more secret. Memeory allocation, spec ex ... seems still very "if you get lucky" thing. Maybe I am wrong. Maybe we will see in the future. – dev Mar 16 '21 at 11:59
  • "Luck" doesn't matter too much when an attacker can just run it undetected in the background for hours and hours. Many vulnerabilities that rely on race conditions that are also dependent on "luck" can be feasible if it can be executed after several minutes/hours/seconds (depending on your attack scenario). – user Mar 16 '21 at 14:38
  • Don't want to play it down, it is a serious issue, but you would have to keep malicious page open for hours. Extraction is at speed of 1kB-8kB/sec in their PoC. Still u might get something. For me is it still not clear if Browser Based Spectre can extract only from Browser process memory or also other procesess. I think Kernel memory is not affected. Anyway, finding something useable, needs luck (time helps luck) – dev Mar 16 '21 at 19:28
  • After some research I think you can only dump browser process memory (including all sites data in it etc). Waiting for confirmation from Authors, if I get any – dev Mar 16 '21 at 21:46