Spook.js is a new transient execution side channel attack which targets the Chrome web browser. We show that despite Google's attempts to mitigate Spectre by deploying Strict Site Isolation, information extraction via malicious JavaScript code is still possible in some cases.
More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicous extension.
We deployed Spook.js on a Tumblr blog, targeting a password that was autofilled into Tumblr's login page by Chrome's built-in credential manager. We show that our blog can be rendered by the same Chrome process as the login page, and that Spook.js can consequently recover the password.
This time, we packaged Spook.js as a Chrome extension. We show that under certain conditions, multiple extensions may be consolidated and executed from the same process. We take advantage of this behavior to read the memory of the LastPass credential manager extension, and recover the master password of the target's vault.
No, you can continue using Chrome extensions. While we have found issues with Chrome's extension isolation, Spook.js is still relatively hard to mount and requires substantial side channel expertise. Moreover, in response to our work, Google has deployed changes to how extensions are laid out in memory, which prevents them from being affected by Spook.js. See the 'What countermeasures are available?' question for more information.
Modern processors improve performance by predicting if a branch in program code will be taken or not, especially if the branch's condition cannot be computed yet. If a processor predicts that a branch will be taken, it will speculatively start executing the instructions within the branch, even though it has not calculated the outcome of the branch. If the branch is actually taken, its instructions have been partially computed already, bringing in the performance benefits. On the contrary, if the branch is actually not taken, the processor attempts to roll back the instructions it speculatively executed.
The majority of attacks on computer systems take advantage of vulnerabilities in the algorithms they use. For example, they exploit bugs, buffer overflows or bad random number generators in order to break the security of the targeted system. In contrast, a side channel attack leverages the hardware of the system in order to attack it. Common side channel examples include monitoring the system's power consumption, electromagnetic radiation, and even sound.
One popular source of side channels (which we also use for Spook.js) is the processor's cache. The cache is a hardware component which stores recently used data in memory to provide faster access. Although this speeds up performance, an attacker can measure the time it takes to retrieve certain data and thus infer if another program has accessed it. This allows the attacker to retrieve the target's memory access pattern, which in many cases is highly correlated with the data processed by the target. Finally, cache side channels are useful as a building block in speculative and transient execution attacks, such as Spook.js, Spectre and Meltdown.
Spectre is a hardware vulnerability that affects nearly every general purpose processor. This includes nearly all modern Intel, AMD, and Apple CPUs, both for desktops and laptops. At a high level, the majority of recent processors predict the outcome of a branch if it cannot be computed quickly, and continue executing instructions along the prediction. If the prediction is incorrect, the processor must roll back the instructions it executed speculatively, alongside any state changes incurred by these instructions.
However, speculative execution leaves traces in the CPU's microarchitectural state, notably in the cache. Thus, a Spectre attacker might confuse the CPU's branch predictor into incorrectly executing instructions that should not have been executed otherwise. In case this incorrect speculation operates over private data, it is possible to leak the data via a side channel thus allowing attackers to read data otherwise inaccessible to them. In particular, in case a suitable Spectre-vulnerable code pattern (gadget) is present in a process belonging to a targeted program, an attacker might abuse this gadget in order to recover the contents of the process's entire address space and the data within it. Being a fundamental issue with speculative execution, Spectre is a threat to nearly all software, ranging from the computer's operating system to the web browser.
Operating systems such as Windows, Linux, and macOS currently isolate different programs into different units of execution called processes. The CPU then enforces this isolation at the hardware level, preveting one process from accessing the contents of other processes.
Strict Site Isolation is a recent browser architecture aimed at increasing browser security. Rather then arbitrarily assign different websites into different processes, browsers with Strict Site Isolation enabled ensure that content from different websites will be located in different processes. For example, data pertaining to google.com will never share the same process as the data for wikipedia.org, thus ensuring that these websites are isolated from each other at the hardware level.
eTLD+1 is an acronym for effective top-level domain plus one. A top-level domain (TLD) is the part of a domain name without dots, such as "com", "org", or "edu". Users can register domain names under a TLD, like "example.com". On the other hand, an effective top-level domain (eTLD) contains dots and is therefore not a true TLD, but is the part of a domain name under which subdomains can be registered directly. An example is "edu.au", with "adelaide.edu.au" registered under it.
The +1 refers to the term that comes just before the TLD or eTLD, delimited by a dot. That is, for "example.com" it is "example", and for "adelaide.edu.au" it is "adelaide". If two websites share a TLD or eTLD as well as the term preceding it, Chrome might consolidate them into the same process, despite Strict Site Isolation. Thus, Chrome will separate "example.com" and "example.net" due to different TLDs, and also "example.com" and "attacker.com" because the +1 terms (preceding the TLD) are different. However, "attacker.example.com" and "corporate.example.com" are allowed to share the same process due to their common eTLD+1 of "example.com". This allows pages hosted under "attacker.example.com" to potentially extract information from pages under "corporate.example.com".
Spectre is fundamentally a hardware vulnerability where footprints of speculative execution are not cleaned up completely within the processor's state. Thus, Strict Site Isolation cannot fix Spectre. Instead, Strict Site Isolation attempts to limit information leakage by separating the contents of different websites into different processes.
However, there are certain conditions under which Chrome does not separate two websites. The most prominent is the case where two websites sharing an eTLD+1 domain are opened in separate tabs, while the system is already under memory pressure from other tabs being open. In our paper, we identified several services which host attacker-controlled JavaScript code on the same eTLD+1 domain as a page containing sensitive information, such as the service's login page. In this example, in case the user opens a page hosting Spook.js attack code in parallel to the service's login page, Chrome's Strict Site Isolation implementation consolidates these two pages into the same process. This then allows our attack to extract the user's credentials as these are being autofilled by the browser's credential manager.
Since Spectre's original introduction in 2018, browser vendors have deployed many countermeasures in order to make Spectre harder to exploit. In addition to Strict Site Isolation, which prevets different webpages from sharing the same process, Chrome also partitions the address space of each process into different 32-bit sandboxes (despite being a 64-bit application). Limiting all values to be 32-bit prevents a Spectre attacker from crossing partition boundaries, thus further limiting information exposure.
Spook.js shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks. More specifically, we show that Chrome's Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains. Next, we also show how to bypass Chrome's 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome's JavaScript execution engine to operate on an object of the wrong type. Using this method we can combine multiple 32-bit values into a single 64-bit pointer, which allows us to read the process's entire address space. Finally, going beyond initial proof-of-concepts, we demonstrate end-to-end attacks extracting sensitive information such as the list of open pages, their contents, and even login credentials.
We have tested Spook.js on Chromium, which is the basis of the Chrome browser. Thus, in addition to Chrome itself, we expect most Chromium-based browsers to be vulnerable to some variant of Spook.js. This includes recent versions of Microsoft's Edge browser, as well as Brave which is a privacy-centered browser.
Other browsers like Firefox and Safari use very different JavaScript execution engines, which currently stops Spook.js from working. We leave the task of investigating speculative exection attacks on these browsers to future work. Finally, Firefox has recently introduced Strict Site Isolation in its stable release. While Spook.js does not work on Firefox as is, we note that similarly to Chrome, Firefox also consolidates pages based on their eTLD+1 domain.
Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1. This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries.
In addition, sites can register their domain name to the Public Suffix List (PSL). The PSL is maintained by Mozilla, and is a list of domains under which users can register names directly (even if the domains are not true top-level domains). Chrome will not consolidate pages if their eTLD+1 domain is present in the PSL. That is, x.publicsuffix.com and y.publicsuffix.com will always be separated.
Finally, as a response to our work, Google introduced Strict Extension Isolation, a feature which prevents multiple extensions from being consolidated into the same process under memory pressure. This stops Spook.js (packaged as a malicious extension) from reading the memory of other extensions. Strict Extension Isolation is enabled as of Chrome versions 92 and up. We also link a blog post by Google's Chromium Project on tips for web developers to defend their sites against side channel attacks.
Yes, please see our GitHub repository.
Our Spook.js logo contains the logo of the Chromium project, which is published under the Creative Commons Attribution 2.5 Generic (CC BY 2.5) license. We acknowledge that the Chromium logo belongs to the Chromium project, maintained by Google. While we have not modified the Chromium logo itself, we include it as a component of the Spook.js logo.
Accordingly, we release our logo under the same license. You can modify, redistribute, and copy it freely. Logo (excluding the Chromium logo component) designed by Jason Kim (who had to teach himself a bit of digital illustration just for it!)
This work was supported by the Air Force Office of Scientific Research (AFOSR) under award number FA9550-20-1-0425; an ARC Discovery Early Career Researcher Award (project number DE200101577); an ARC Discovery Project (project number DP210102670); CSIRO's Data61; the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contracts FA8750-19-C-0531 and HR001120C0087; Israel Science Foundation grants 702/16 and 703/16; the National Science Foundation under grant CNS-1954712; Len Blavatnik and the Blavatnik Family foundation and Blavatnik ICRC at Tel-Aviv University; Robert Bosch Foundation; and gifts from Intel and AMD.