Tencent Security Xuanwu Lab broke this illusion. On July 21st '2018 Snow Summit', senior researcher Song Kai shared the first use of the 'Spectre' vulnerability in the browser and how to trigger through JS' Spectre' exploits and generates assembly instructions that can gracefully flush the cache. In addition, Song Kai also shares the actual hazards and related mitigations that may be caused by the 'Spectre' vulnerability in the browser.
The 2018 Security Developers Summit is hosted by the industry's established security technology community, the Snow Academy, which is open to developers, security personnel and high-end technology practitioners. It is an annual event for domestic developers and security professionals. Tencent Security is the diamond of this summit. The sponsoring unit, with four business matrices on the scene, demonstrated the talent + technology business model built on the core of the top ten international white hat hackers of Tencent Security Joint Lab, which was widely concerned by the industry.
Big harvest of gadgets
There is no doubt that 'Spectre' is a serious CPU vulnerability that breaks the isolation between different applications and affects most of the mainstream architecture. It allows attackers to spoof error-free programs, and attackers can exploit this through caching. Vulnerabilities, leaking sensitive data in user-level processes. Most public attacks are local attacks. If exploits can be exploited through the browser, large-scale attacks on users will be possible. Because of the large number of browser users, The attack is successful and the result will be unimaginable.
'In theory, the main hazard of this vulnerability to individual users is equivalent to a cross-platform cross-browser super UXSS. But can it be realized? To what extent can it be achieved? Everyone has no idea. 'CPU vulnerabilities open fifth Tian, the head of Tencent Security Xuanwu Lab, T旸 (TK leader), published on Weibo the results of the lab's 'quietness' during this time--developed an online detection tool that can detect whether the user's browser is vulnerable to attack.
Enterprise users can use this tool to detect the security status of the browser in real time. If the detection result indicates that the browser is vulnerable to attack, the risk exists. Song Kai also shared the 'accident' after the tool went online. 'At the time, this vulnerability tool After the release, it was also the world's first online testing tool, which checked the problems of its own devices for thousands of users. More unexpectedly, because our initial testing environment was limited, it was tested on some Windows machines only. Chrome browser-related vulnerabilities, after the release, found that different devices will be affected, such as SurfacePro, MacOS, iPhoneX, Pixel 2, etc.
Solve two core issues
The online detection tool is just the beginning. 'Unknown attack, 焉知防', and the way to use the 'Spectre' vulnerability to launch an attack is the research focus of this group of white hat hackers in Tencent Security Xuanwu Lab.
Song Kai said in his speech that the root cause of this vulnerability is because the code in the speculative execution can affect the CPU's cache, and the impact of this cache can be detected by some technical means. Branch logic is unreliable in this practice. Because the cache is affected, it allows the attacker to infer the content of the data accessed during the prediction execution, and the data is measurable and can be further leaked.
So how to properly refresh the cache, and how to ensure that the specific data does not appear in the cache during the use process, is the first problem that needs to be solved in the browser to achieve the vulnerability attack.
Tencent Security Xuanwu Lab's approach is to first access a large number of different addresses to force a refresh of the cache, to achieve the function of cache flushing, and then traverse the variables by placing them in different memory, ensuring that the variables traversed each time are not cached. At the same time, the precision timer for predicting the memory access time can be achieved by the Worker+SharedArrayBuffer. It is also an indispensable part of the whole attack scheme by dynamically traversing the cache size to adapt different devices.
It is worth mentioning that the use of the CPU 'branch prediction' function in Tencent Security Xuanwu Lab has the advantage of using artificial intelligence limitations - the feedback of the execution effect is true through five trainings, and finally Let the CPU be more stable and enter the speculation logic into the branch.
'To solve a whole set of attacks through javascript needs to solve a lot of problems', Song Kai concluded, including how to stabilize the buffer cache, to ensure that specific data does not appear in the cache, high-precision time timer, dynamic detection cache size. Want to cause The actual hazard, the main problem to be solved is the memory layout.
This research is only a part of the capabilities of Tencent Security Xuanwu Lab. Song Kai, who shared at this summit, won the Pwn2Own 2017 Edge browser project on behalf of Tencent Security Xuanwu Lab; it has been selected for Microsoft MSRC Global Top 100 Contributors for three consecutive years. Single, the highest ranked 12th; more won the 2016 Microsoft Mitigation Bypass Bounty project, and the 2015 and 2016 Edge Bounty projects.
The members of the laboratory are deeply immersed in information security technology and directly use Tencent's security output as technical capability to protect the network security of users. After the outbreak of CPU vulnerabilities at the beginning of the year, in addition to the online testing tools developed by Tencent Security Xuanwu Lab, Tencent Security Anti-virus labs and Tencent computer butlers also quickly launched corresponding vulnerability repair tools and detection tools to help users quickly and easily complete vulnerability detection, identify hidden dangers in time, and minimize risks.