back to article Google emits data-leaking proof-of-concept Spectre exploit for Intel CPUs to really get everyone's attention

Google on Friday released proof-of-concept code for conducting a Spectre-based attack against its Chrome browser to show how web developers can take steps to mitigate browser-based side-channel attacks. The code, posted to GitHub, demonstrates how an attacker can pull data from device memory at speed of 1kB/s when running on …

  1. bazza Silver badge

    Huh?

    I though we all knew Spectre-based attacks were real pretty much as soon as El Reg published their story, all the time ago. Didn't we?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Huh?

      IMHO this is what happened: we reported upcoming OS patches to work around design flaws in today's processors -- Intel's Meltdown being the worst as it was easy to exploit.

      Everyone went wild. Markets, media, analysts, vendors. Things were patched before they were exploited. It reminded me of Y2K. In the end, very little went wrong because of all the work beforehand, leading some to say it was a load of hype. I see the same for Meltdown+Spectre.

      The obvious Meltdown and Spectre flaws were addressed early on. But as we wrote in early 2018, Spectre will continue to haunt the computer industry for a decade or more as the family of bug is quite large. Google's pointed out that there's still work to be done on the web front-end side, and so released this PoC exploit to make web devs wise up.

      There are exploits for Spectre out there but they tend to be in expensive toolkits (Immunity Inc's Canvas IIRC). Now here's one for free.

      C.

      1. bazza Silver badge

        Re: Huh?

        I suppose it comes down to how prevelant Spectre based exploits are in the wild. Though I'm far from convinced that giving a working Web based one away for free to anyone who wants it is actually going to be of material benefit to the rest of us. Probably the complete opposite in fact. Isn't it like dropping a zero day on to the entire Web?

        Whilst we have caches, non uniform memory and multitasking we're probably always going to have some vulnerability to code running on the platform. Getting rid of daft ideas like Javascript in Web pages is probably the only way we're going to get to a point where no one is running code they didn't explicitly install themselves. Javascript is just a lazy way of avoiding server side execution. And why should a Web page need a timer anyway?

        1. ThatOne Silver badge
          Devil

          Re: Huh?

          > Isn't it like dropping a zero day on to the entire Web?

          It definitely is: It's making a complicated, grown-ups exploit script-kiddie-friendly, while the potential victims have no means of protecting themselves.

          Don't they? Oh wait, I forgot, apparently they'd be safe if they only use Google programs!... That's textbook blackmail. "Nice computer you have there. A pity if something happened to it, so come to uncle Google and get out of those panties..."

    2. Blazde Silver badge

      Re: Huh?

      I think a lot of people believe making the timers coarser was enough of a mitigation so this neat way of controlling the cache evictions is a welcome reality check that it's not. As long as the side-channel signal is there it will be statistically measurable, and stealing small secrets like password and keys will be practical even with an extremely low bandwidth leak.

      (The recent Aspelmeyer Group measurement of the smallest gravitational force so far between two tiny gold spheres and their expectations for huge further improvements is another cool case study in this phenomenon).

  2. Anonymous Coward
    Anonymous Coward

    Huh 2?

    In order to attack you, they have to run code on your machine don't they? But everyone runs NoScript don't they? So how does this work? Surely everybody knows never to run downloaded code?

    1. diodesign (Written by Reg staff) Silver badge

      "But everyone runs NoScript don't they"

      Absolutely not. The vast, vast majority of people have JS on. Depending on country, we're talking fractions of percent to 2% tops have JS disabled through one way or another.

      C.

      1. sbt Silver badge
        Alert

        Re: JS disabled

        Yeah, it's going to be a while before Web 3.0 (or is it 4.0?), where there's no client code, just CSS. Maybe doable once bandwidth increases such that round-trip times are quick enough and browsers can standardise in signed code in the application the little page interactions that scripts cover but which seems to always need to be supplied by the site server.

        1. E 2

          Re: JS disabled

          And even then it will be hard to kill off Javascript in web browsers as there is an enormous installed base of it. Killing it off will be as extended a process as killing off Flash was.

          1. sbt Silver badge
            Childcatcher

            Re: ... as extended a process as killing off flash was.

            If you or somebody you know has been affected by the contents of this comment, help is available...

    2. gnasher729 Silver badge

      Re: Huh 2?

      Mostly JavaScript which gets compiled to native code.

  3. Lorribot Silver badge

    Most web developers would not understand this or even care, they too busy delivering.

    Google lives in a corporate world with change control and one person who understands this is importnat. the 300,00 web deveopers in the world don't give a shit as long as they get paid.

    Google needs to target the people paying web developers to ask questions and give them tools to test code.

    1. Brewster's Angle Grinder Silver badge

      "Google needs to target the people paying web developers..."

      Who'll say they can't afford to splash out on these things or that, if they did, the customers wouldn't pay the price. (Where the price to consumer may well be "free".)

    2. ThatOne Silver badge

      > web developers in the world don't give a shit as long as they get paid

      Came here to say exactly that. Nobody will ever even try to fix that, because there is nothing in for them, not to mention it would imply to change all and every program anybody uses.

      While the novelty-hungry fashion victims out there obviously won't see the problem with that, it's not them who do the real work. Real working people usually have dozens of old-yet-vital programs, most of which don't and won't have updates, or they simply can't afford to upgrade everything in those remarkably prosperous times.

  4. Arthur Daily

    Just fix the CPU's - Still not done

    To the armchair commentators, mitigation did not work. It is a big dangerous hole, and clever foreign powers will be looking for, or already have several weakest links. Maybe it keeps schoolkiddies from playing. Don't forget about the management engine, ot the cpu's in peripherals that can be deployed. There are thousands of DRIVERS out there, unchanged or unmitigated as we like to say, pre flaw discovery. Fixes for older and not so old motherboards - did NOT come either. I expect quite a few biggies (security CVE's 9+) to come out over the next few years.

    1. ecofeco Silver badge

      Re: Just fix the CPU's - Still not done

      That would be nice, but have you forgotten the golden rule of capitalism? Privatize the profits, socialize the losses? Anything else is just crazy eebil commie talk!

  5. This post has been deleted by a moderator

  6. ST Silver badge

    Tried all exploits, none worked. Yawn.

    Linux xxxxxxxxxxx.xxxxxxxxxxxxxx.xxx 5.10.20-200.fc33.x86_64 #1 SMP Thu Mar 4 13:18:27 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

    [Fedora 33 x86_64]

    Based on the results submitted the attacks appear to only work on Windows. All the Linux results reported "No, did not work". Same here.

    Stop using Windows.

    1. IGotOut Silver badge

      Re: Tried all exploits, none worked. Yawn.

      Can you read as well as code? Let me answer that for you, no.

      From the linked article.

      "We've confirmed that this proof-of-concept, or its variants, function across a variety of operating systems, processor architectures, and hardware generations"

      And even if you were to busy mashing the keyboard to prove Linux is the greatest thing since the discovery of fire making, you could of at least bother to read The Reg's article properly. Maybe the bit about working on Apple's ARM processor may of given you a clue? No?

      So go back, read, comprehend.

      1. ST Silver badge
        Mushroom

        Re: Tried all exploits, none worked. Yawn.

        > "We've confirmed that this proof-of-concept, or its variants, function across a variety of operating systems, processor architectures, and hardware generations"

        I am very happy they confirmed. Really.

        However, the test results submitted to the vulnerability POC website do NOT confirm the above confirmation. They are, in fact, pretty clear: Linux isn't vulnerable, Windows is, and a very small percentage of other operating systems where the users had no clue what they were doing and didn't understand a single thing. Also known as Mac users.

        Why don't you check the facts instead of believing everything you read at ElReg.

        Now go back and hyperventilate about Spectre. Makes you sound really knowledgeable.

        1. Tomato Krill

          Re: Tried all exploits, none worked. Yawn.

          Surely all you’ve demonstrated is that your environment isn’t vulnerable? OS, processor architecture etc combination.

          Or did I misread and you’ve tried every release of every district in a comprehensive combination of architectures?

          1. Anonymous Coward
            Anonymous Coward

            Re: Tried all exploits, none worked. Yawn.

            Or potentially they just proved they were unable to run the proof of concept code and their environment is vulnerable?

          2. ST Silver badge
            FAIL

            Re: Tried all exploits, none worked. Yawn.

            > Or did I misread and you’ve tried every release of every district in a comprehensive combination of architectures?

            Yes, you misread. That's the best-case scenario. Worst-case, you can't read and/or can't understand English.

            I can't fix that. Only you can.

      2. John Brown (no body) Silver badge
        Headmaster

        Re: Tried all exploits, none worked. Yawn.

        "read, comprehend."

        Could of, may of :-)))

    2. Brewster's Angle Grinder Silver badge

      Re: Tried all exploits, none worked. Yawn.

      While Linux may have better mitigation, it's more likely down to the difference in processor. AMD chips, for example, are more resistant.

      1. ST Silver badge

        Re: Tried all exploits, none worked. Yawn.

        >AMD chips, for example, are more resistant.

        Yes, possibly.* But this assumes some CPU choice skew among Linux users. IOW Windows users would clearly prefer the vulnerable chips over Linux users who would prefer the less vulnerable ones.

        I don't know if that's the CPU choice distribution in real life. As a single-point, statistically irrelevant example, I'm typing this on an Intel chip, not AMD. Supposedly I should be toast.

        -----

        [*] AMD's claim about being less vulnerable to Spectre compared to Intel is just a claim.

    3. ragnar

      Re: Tried all exploits, none worked. Yawn.

      You're really bad at reading comprehension. The exploit was developed on Linux. And the page specifically says it's not designed to test whether your machine is vulnerable:

      "It was developed and optimized for Chrome 88 running on an Intel® Core™ i7-6500U processor on Linux. While it was confirmed to work on other CPUs (different vendor and/or generation), operating systems and Chromium flavors, you might have to adjust the configuration and it might work less reliably (or not at all). Note that the goal of this proof of concept is to demonstrate the feasibility of a web-based Spectre exploit. It is not a test to see if your device is vulnerable or not."

      1. ST Silver badge

        Re: Tried all exploits, none worked. Yawn.

        > [... ] it's not designed to test whether your machine is vulnerable

        Awesome then! It's not designed to prove the Spectre vulnerability, or to test whether your machine is vulnerable or not. And it might not work reliably. Or at all.

        But, please don't forget to run around screaming with your hair on fire: OMG! Spectre!

        So what is it designed for then? Remote identification of Internet Drama Queens?

  7. amanfromMars 1 Silver badge

    Virtual WMD Developments ... Well, that Quantum Leap is One Small Step for AI and IT

    The Google engineers say they also developed other PoCs with different properties that they aren't releasing. One, they claim, is capable of leaking data at a rate of 8kB/s, though that accelerated pace comes at the cost of diminished stability...

    'Tis an interesting cost/benefit analysis to ponder whenever the accelerated pace of those ones also deliver increasingly excessive volatility in a commanding control led environment. It is though no wonder they wouldn't be releasing those Proofs of Concept, for it's a veritable flash crash/fast cash cow of an Easter egg which everyone would be wanting to exercise and milk/bilk, and with more that just a chosen few determined to try and corner the market in order to render to them an extraordinary overwhelming exclusive positive advantage.

    I thought Google weren't into the Universal/Global Arms Race Market and yet here they are with something quite AWEsome .... and more than just alien in form for conventional defence and traditional military forces and sources to be supplied with in order not to be totally disengaged and helpless against future novel activities such as ACTive Abiding Astute Zer0day Hostilities against Systems Deaf Dumb and Blind and Brain Dead to Radical Fundamental Base Change.

    Now ..... should that not have been the case that Google engineers discovered, then it sure as hell is one already in a development with/for A.N.Others.

    1. amanfromMars 1 Silver badge

      :-) Money well spent indeed whenever one knows into whose private and personal accounts to lodge it.

      Not knowing that creates more colossal and complex catastrophic problems made impossible to resolve without such a simple action.

      A new Artificial Intelligence agency is meanwhile set to develop autonomous weapons systems.

      Stressing the importance of data in future conflicts, a senior Whitehall source said: “What’s certain is that the future will be about cyber, space, AI.”

      An MoD spokesman said: “As threats change our Armed Forces must change and they are being redesigned to confront future threats, not re-fight old wars. The Armed Forces will be fully staffed and equipped to confront those threats. .......... https://www.telegraph.co.uk/politics/2021/03/12/80bn-equipment-revealed-defence-review-tanks-jets-drones-hovering/

      How very odd then that so much is being spent/wasted on a current physical arms re-fit to re-fight old wars style. It just doesn't make common sense, although that is hardly surprising to the many who listen to all that is shared for media to report as news as opposed to entertainment.

      'Tis a common human failing that, ... a complete lack of future common sense .... and a systemic vulnerability to exploit and export and enjoy by virtue of excessive enrichment.

  8. Warm Braw Silver badge

    In other news...

    The Today programme was interviewing someone this morning about the recent exploits of Microsoft Exchange. His suggestion towards the end of the interview was that businesses should consider whether running services on-premises now required too much security expertise for most of them and that they would be better off with cloud provision.

    I'm just not sure it's sustainable to have a situation in which web application developers (who more than most suffer from "gratuitous include syndrome") are being advised to code defensively against CPU vulnerabilities and businesses are being told that computers are essentially too dangerous to be kept on site.

    It's a relatively small number of people that fully understand the nature of these vulnerabilities and have the ability to investigate and mitigate them. Of the people who might have that capability, few are likely to sign up voluntarily for what is frequently an exceptionally tedious and thankless task. If the future of "secure computing" depends entirely on this small pool of experts to fight fires, we might as well all publish our passwords online now.

    1. amanfromMars 1 Silver badge

      Re: In other news...

      It's a relatively small number of people that fully understand the nature of these vulnerabilities and have the ability to investigate and mitigate them. .... Warm Braw

      And methinks, Warm Braw, having more fully understood the nature of such vulnerabilities more than just a relatively small number of those folk would be successfully tempted to take a well cloaked walk on the wild, dark side and make a quiet fortune or two or three ....

      After all, such is surely to be certainly expected for that would be only human of them when engaged in business for profit, you know, extra money for nothing tangible, an apparent reward for really just knowing what needs to be done .... and which ideally cannot be done by anyone else. That can prove extremely lucrative.

      1. Warm Braw Silver badge

        Re: In other news...

        That would be the classical economic theory. Things work out a little differently in practice. If you make a job sufficiently financially-rewarded that people can live comfortably by working fewer hours, a proportion will do that. Some will work part-time, others will simply have shorter careers and move on. The more arduous/tedious the task, the higher the proportion.

        Hence many (if not most, now?) GPs work less than a full week; headteachers who have older and more generous pensions are retiring early. Giving people financial incentives can have peverse effects (at least as far as the source of the finance is concerned).

    2. amanfromMars 1 Silver badge

      Re: In other news...

      Talking of traditional and conventional home-grown on-premises security expertise v. any novel and relatively alien cloud provision technologies, ..... of which there would appear to be an expanding number quite bereft of either effective covetous competition or zealous opposition, ..... raises the spectre and introduces the opportunity for an old familiar frenemy to exercise it attractions and demonstrate, or not be able to demonstrate as the case can be, its capturing of technology and hearts and minds abilities, with the following few words being indicative of the current, present running situation ??? ‽ ‽ ! !

      While most people were dazzled by the bounty of China’s economic boom, Chen [Qiufan] was ambivalent. In his first short story, “The Bait,” which he wrote as a precocious high schooler, aliens arrive on Earth, give humans an invaluable new technology, and eventually enslave them with it. ...... https://www.wired.com/story/science-fiction-writer-china-chen-qiufan/

      :-) I wonder if the new frenemy is better at tending to order than the old technology with the award of rewards that fences pretty printed paper counterfeit goods/accepts and supplies fiat currency as a simple meme and very convenient means for global population control with massive remote command?

      :-) However, should it/they/new frenemies even simply allow it to continue virtually unscathed and practically unattacked by a hostile force with their gracious acceptance of perfectly timed, and extremely excessive and generous judiciously gratuitous investments, would it be a classy win win and classic temporal resolution for an Earthly problem ....... and as I'm sure some may point out, not at all unknown or not to be fully expected, copying/mimicking/counterfeiting as it does ye olde business model of Danegeld.

      Those who would disagree would cite, methinks, and recite https://en.wikipedia.org/wiki/Dane-geld_(poem) and in so doing invite and suffer the slings and arrows of outrageous misfortune, Doom and Gloom and FUD.

  9. Anonymous South African Coward Silver badge
    Mushroom

    About time too

    It is time to get out of IT.

    Let the younger guys run the show while the older guys ride off into the sunset, off to do sheep/alpaca/goat/chicken/ostrich farming.

    After all, there is less stress that way, no Bossly Units who tend to scream at you and no pesky Exchange servers to keep on patching.

    1. IGotOut Silver badge

      Re: About time too

      Git out 3 years ago. Best choice I made.

      Less money, better life.

    2. nematoad Silver badge
      Thumb Up

      Re: About time too

      Aye, I'll go along with your sentiment.

      I retired six years ago now and I must say that I don't miss all the pressure, late night sessions on conference calls and being on call every other week.

      It was good whilst it lasted and I loved the job but now that I am away from all of that I realise that there are other things in life. I'm not sure about the ostrich farming but being my own boss does have its compensations even if my income is a lot lower now than it was and I am away from the baleful influence of IR35.

  10. Paul Crawford Silver badge

    Precision timer?

    Perhaps I am nieve here, but WTF do you need microsecond resolution for on a web page?

    Having milliseconds with random dither (so it really is +/-0.5ms variability) might not stop it, but it sure seems a means to make it too much hard work to be practical?

    Genuine question here.

    1. zb42

      Re: Precision timer?

      Emulators?

      I like to occasionally play the 48K Spectrum version of Manic Miner in a browser.

    2. sitta_europea Silver badge

      Re: Precision timer?

      Naïve.

      The obvious reason for anybody on the Web doing anything that you don't understand is to make money. In this as in most other cases, I don't know how (and I don't care - I'm one of the few with scripting blocked for almost everything).

    3. ThatOne Silver badge
      Unhappy

      Re: Precision timer?

      > WTF do you need microsecond resolution for on a web page?

      To be part of the cool kids. Somebody, many years ago, decided that the browser would be the new OS, and since everybody has hopped on the bandwagon, just "because we can".

      And to be able to shoehorn a full desktop application inside a browser, you need to give it all the handles and rights a local program would have. Except the local program is installed and controlled by you, while the remote one is installed and controlled by someone you don't know, don't trust, and who most likely hasn't your well-being in mind.

    4. You aint sin me, roit Silver badge
      Trollface

      Re: Precision timer?

      How else am I going to get accurate performance stats on the crypto miners I'm running on your machine?

  11. Jamie Jones Silver badge
    Coat

    Do-be-do-be-doo

    Do-be-do-be-doo

    In spectre gadget,

    Do-be-do-be-doo be-doooo!

    (I can't have been the only one?)

    1. DJV Silver badge

      Re: Do-be-do-be-doo

      Nope, I came here to post the same thing but you beat me to it!

  12. Anonymous Coward
    Anonymous Coward

    easy to avoid?

    Just avoid using googs browser or intel chips? no problem here :)

    Seriously though, my last new rig I went with AMD for multiple reasons, this was one of them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021