Spring: Spectre Returning in the Browser with Speculative Load Queuing and Deep Stacks
METADATA ONLY
Loading...
Author / Producer
Date
2022-05
Publication Type
Conference Paper
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
There has been a substantial community effort in mitigating transient execution attacks in the web browser. Lightweight “catch-all” timer mitigations, deployed in all popular browsers, are presumed to raise the bar against these attacks. More heavyweight mitigations, such as pointer and array index masking are deployed more selectively to further make such at- tacks impractical. How secure are browsers with these mitigations taken together? In this paper, we show that a combination of new techniques allows an attacker to employ Spectre-RSB and leak sensitive information from browsers that deploy all these mitigations. First, we show that queuing up many transient loads during a single speculation window and using repeated measurements enable cache covert channels, even with jittery, millisecond precision timers. Second, we reverse engineer the newer RSB structure in Intel CPUs to find that deeper call stacks allow the attacker to hijack speculative execution for bypassing pointer and array index masking mitigations. Third, we show how an attacker can leverage memory massaging to reduce the entropy of the target secret’s memory address. Our end-to-end exploit, Spring, combines these observations to leak an access token from an unmodified version of Firefox. Our disclosure effort has led to a deployed mitigation in the latest version of the Firefox browser.
Permanent link
Publication status
published
External links
Editor
Book title
Journal / series
Volume
Pages / Article No.
Publisher
Workshop on Offensive Technologies
Event
16th IEEE Workshop on Offensive Technologies (WOOT 2022)
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Organisational unit
09721 - Razavi, Kaveh / Razavi, Kaveh