Spectre Side-Channel Attacks Enabled by JavaScript in Browsers
Spectre Side-Channel Attacks Enabled by JavaScript in Browsers

Security teams around the world are parsing the flood of analysis about the side-channel attacks made possible by the Spectre and Meltdown vulnerabilities. Both vulnerabilities enable a range of attacks to compromise cached memory and have left developers, cloud hosting providers, chip makers, and others scrambling to deploy fixes as exploit code proliferates.

While much of the analysis has focused on operating systems, programs and processes, and how memory is allocated, web browsers have also been identified as a potential attack vector.

Owing to multi-process architecture, it's possible to passively observe, record, and exfiltrate cached memory from sites and plugins within the same browsing session using JavaScript (JS) code. This scenario likely requires one of two things: either a compromised or malicious site (or ad impression) accessed by a targeted user or users.

The Spectre research in particular concerns the use of malicious JavaScript code to mount a side-channel attack; the researchers tested “a JavaScript program that successfully reads data from the address space of the browser process running it.” They have thus far tested it against JavaScript Engine V8 to show that browser-level mitigations can be defeated and the timing attack was successful to compromise memory. Mozilla's own internal testing revealed the same outcome, and calls for further testing.

Today, users can perform increasingly complex operations in browsers thanks to JavaScript and other advanced programming languages. With the revelation of Spectre, browsers are attack vectors because of how JavaScript code runs on a machine and allocates memory: The rate at which JS code executes is rapid and must have direct access to manipulate raw binary data in typed arrays. Arrays are divided into buffers and views, and code executed in one site is typically able to access the array of another. Hence,one of Mozilla's mitigation measures is to disable SharedArrayBuffer. Elsewhere, disabling cross-domain JavaScript and CSS is seen as sound prevention, but the near-term challenge will be to implement adequate defenses without breaking websites.

Safari, Firefox, MS Edge, and Google Chrome are actively working to release new versions that make such attacks far more difficult to execute and enable site isolation by default (or at least easier for users to do so). Patches, at least to begin with, will likely have have limited efficacy and may have additional computational costs. It's critical for developers to identify any vulnerabilities that would permit unauthorized parties from running JS code on their applications, and they should take additional measures, like those outlined by Google. Application owners and online advertising brokers will have a renewed interest in the sources of ads that are allowed to run on trusted sites. Users should exercise caution when allowing untrusted code to run on a visited site and update their browsers as soon as possible.