Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution

The discovery of the Spectre attack in 2018 has sent shockwaves through the computer industry, affecting processor vendors, OS providers, programming language developers, and more. Because web browsers execute untrusted code while potentially accessing sensitive information, they were considered pri...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings - IEEE Symposium on Security and Privacy pp. 699 - 715
Main Authors: Agarwal, Ayush, O'Connell, Sioli, Kim, Jason, Yehezkel, Shaked, Genkin, Daniel, Ronen, Eyal, Yarom, Yuval
Format: Conference Proceeding
Language:English
Published: IEEE 01.05.2022
Subjects:
Browsers
Codes
Computer industry
Computer languages
Ecosystems
Passwords
Privacy
ISSN:2375-1207
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract The discovery of the Spectre attack in 2018 has sent shockwaves through the computer industry, affecting processor vendors, OS providers, programming language developers, and more. Because web browsers execute untrusted code while potentially accessing sensitive information, they were considered prime targets for attacks and underwent significant changes to protect users from speculative execution attacks. In particular, the Google Chrome browser adopted the strict site isolation policy that prevents leakage by ensuring that content from different domains is not shared in the same address space. The perceived level of risk that Spectre poses to web browsers stands in stark contrast with the paucity of published demonstrations of the attack. Before mid-March 2021, there was no public proof-of-concept demonstrating leakage of information that is otherwise inaccessible to an attacker. Moreover, Google's leaky.page, the only current proof-of-concept that can read such information, is severely restricted to only a subset of the address space and does not perform cross-website accesses. In this paper, we demonstrate that the absence of published attacks does not indicate that the risk is mitigated. We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages. We further show that Spectre adversely affects the security model of extensions in Chrome, demonstrating leaks of usernames and passwords from the LastPass password manager. Finally, we show that the problem also affects other Chromium-based browsers, such as Microsoft Edge and Brave.
AbstractList The discovery of the Spectre attack in 2018 has sent shockwaves through the computer industry, affecting processor vendors, OS providers, programming language developers, and more. Because web browsers execute untrusted code while potentially accessing sensitive information, they were considered prime targets for attacks and underwent significant changes to protect users from speculative execution attacks. In particular, the Google Chrome browser adopted the strict site isolation policy that prevents leakage by ensuring that content from different domains is not shared in the same address space. The perceived level of risk that Spectre poses to web browsers stands in stark contrast with the paucity of published demonstrations of the attack. Before mid-March 2021, there was no public proof-of-concept demonstrating leakage of information that is otherwise inaccessible to an attacker. Moreover, Google's leaky.page, the only current proof-of-concept that can read such information, is severely restricted to only a subset of the address space and does not perform cross-website accesses. In this paper, we demonstrate that the absence of published attacks does not indicate that the risk is mitigated. We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages. We further show that Spectre adversely affects the security model of extensions in Chrome, demonstrating leaks of usernames and passwords from the LastPass password manager. Finally, we show that the problem also affects other Chromium-based browsers, such as Microsoft Edge and Brave.
Author Ronen, Eyal
Genkin, Daniel
Agarwal, Ayush
Kim, Jason
O'Connell, Sioli
Yehezkel, Shaked
Yarom, Yuval
Author_xml – sequence: 1
  givenname: Ayush
  surname: Agarwal
  fullname: Agarwal, Ayush
  email: ayushagr@umich.edu
  organization: University of Michigan
– sequence: 2
  givenname: Sioli
  surname: O'Connell
  fullname: O'Connell, Sioli
  email: sioli.oconnell@adelaide.edu.au
  organization: University of Adelaide
– sequence: 3
  givenname: Jason
  surname: Kim
  fullname: Kim, Jason
  email: nosajmik@gatech.edu
  organization: Georgia Institute of Technology
– sequence: 4
  givenname: Shaked
  surname: Yehezkel
  fullname: Yehezkel, Shaked
  email: shakedy@mail.tau.ac.il
  organization: Tel Aviv University
– sequence: 5
  givenname: Daniel
  surname: Genkin
  fullname: Genkin, Daniel
  email: genkin@gatech.edu
  organization: Georgia Institute of Technology
– sequence: 6
  givenname: Eyal
  surname: Ronen
  fullname: Ronen, Eyal
  email: eyal.ronen@cs.tau.ac.il
  organization: Tel Aviv University
– sequence: 7
  givenname: Yuval
  surname: Yarom
  fullname: Yarom, Yuval
  email: yval@cs.adelaide.edu.au
  organization: University of Adelaide
BookMark eNotT9tOwzAUCwgktrEvgIf8QEtOkuXC2zRtMDQJpMLzlKWnkF2aqg0T_D2d2JNt2bLsIbmqY42E3APLAZh9KN6k4iBzzjjPrRFCA1yQsdUGlJpIEKDsJRlwoScZcKZvyLDrtoxxJqwckJeiiXGXb7tHOk3J-V2oP-nsq40HpEVqg0-0CAnpsot7l0Ks6TE4WjTov0_6iHT-0_OTc0uuK7fvcHzGEflYzN9nz9nq9Wk5m66yAGBSprjaCGTglVUlOMM4WClKYb3oN5fGb0y_2lTaq7ICL9Fa7MPoNTr0nIsRufvvDYi4btpwcO3v-nxd_AGA8087
CODEN IEEPAD
ContentType Conference Proceeding
DBID 6IE
6IH
CBEJK
RIE
RIO
DOI 10.1109/SP46214.2022.9833711
DatabaseName IEEE Electronic Library (IEL) Conference Proceedings
IEEE Proceedings Order Plan (POP) 1998-present by volume
IEEE Xplore All Conference Proceedings
IEEE Electronic Library (IEL)
IEEE Proceedings Order Plans (POP) 1998-present
DatabaseTitleList
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISBN 9781665413169
1665413166
EISSN 2375-1207
EndPage 715
ExternalDocumentID 9833711
Genre orig-research
GrantInformation_xml – fundername: Air Force Office of Scientific Research
  funderid: 10.13039/100000181
– fundername: Defense Advanced Research Projects Agency
  funderid: 10.13039/100000185
– fundername: Israel Science Foundation
  funderid: 10.13039/501100003977
– fundername: Robert Bosch
  funderid: 10.13039/100011993
– fundername: National Science Foundation
  funderid: 10.13039/100000001
GroupedDBID 23M
29O
6IE
6IF
6IH
6IL
6IN
AAJGR
AAWTH
ABLEC
ACGFS
ADZIZ
ALMA_UNASSIGNED_HOLDINGS
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CBEJK
CHZPO
IEGSK
IJVOP
M43
OCL
RIE
RIL
RIO
RNS
ID FETCH-LOGICAL-i118t-626b3e01c696d1a8021943d39c3781d8cb84138f7c6df1c4e99e1c6ec7eaec223
IEDL.DBID RIE
IngestDate Wed Aug 27 02:37:20 EDT 2025
IsPeerReviewed false
IsScholarly true
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-i118t-626b3e01c696d1a8021943d39c3781d8cb84138f7c6df1c4e99e1c6ec7eaec223
PageCount 17
ParticipantIDs ieee_primary_9833711
PublicationCentury 2000
PublicationDate 2022-May
PublicationDateYYYYMMDD 2022-05-01
PublicationDate_xml – month: 05
  year: 2022
  text: 2022-May
PublicationDecade 2020
PublicationTitle Proceedings - IEEE Symposium on Security and Privacy
PublicationTitleAbbrev SP
PublicationYear 2022
Publisher IEEE
Publisher_xml – name: IEEE
SSID ssj0020394
Score 2.2420275
Snippet The discovery of the Spectre attack in 2018 has sent shockwaves through the computer industry, affecting processor vendors, OS providers, programming language...
SourceID ieee
SourceType Publisher
StartPage 699
SubjectTerms Browsers
Codes
Computer industry
Computer languages
Ecosystems
Passwords
Privacy
Title Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution
URI https://ieeexplore.ieee.org/document/9833711
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NSwMxEA21ePBUtRWtH-Tg0W03mzQf3kRa1EMprEJvZXd2ChVsS7st_nwn6VoRvHgbshsCkyzzZjZvHmO3Nne6J3RGaYmWkVI9iHLIvEWDSPgcJASxCTMc2vHYjWrsbs-FQcRw-Qw73gz_8osFbHyprOuslMYTeQ-M0Tuu1j65iqVTFTVOxK6bjpROhC-aJEmnmvdLQCXEj0Hjfysfs9YPEY-P9iHmhNVwfsoa30oMvPowm-wlXRJY7ryv7_lDWWbg69_c9739QJ76HvwlTwlb8mc6aWEr-HaWca89H9S7tsj7n2T7Jy32Nui_Pj5FlUpCNKPkoIwoI8klxgK004XILAVtp2QhHUhDYNRCbilQ2akBXUwFKHQO6WUEgxkCoYMzVp8v5njOeCYkGkrIDORaOZs4VDIpCqcRCcgU8QVretdMlrtGGJPKK-2_hy_Zkff-7nbgFauXqw1es0PYlrP16ibs3hc_2Jr2
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1Na8JAEB3EFtqTbbX0u3vosdEku252eytF0daKEAveJNkdwUJVNEp_fmdjain00tuwSQjMbJg3k33zAO5UqmUzkAmVJZJ7QjSNl5rEWbSIhM8NN7nYRNTvq9FID0pwv-PCIGJ--Azrzsz_5du5WbtWWUMrziNH5N1zylkFW2tXXvlci4IcF_i6EQ-EDAPXNgnDevHkLwmVPIO0K_979xHUfqh4bLBLMsdQwtkJVL61GFjxaVbhOV4QXK6_rx7YY5YlxnXAmZt8-4EsdlP4MxYTumRd2mt5MNhmmjCnPp_rd22QtT7Jdldq8NZuDZ86XqGT4E2pPMg8qklSjn5gpJY2SBSlbS245drwiOCoMqkib6lJZKSdBEag1kg3o4kwQUP44BTKs_kMz4AlAceISrLIpFJoFWoUPLRWS0SCMtY_h6pzzXixHYUxLrxy8ffyLRx0hq-9ca_bf7mEQxeJ7VnBKyhnyzVew77ZZNPV8iaP5BeC-Z4_
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=Spook.js%3A+Attacking+Chrome+Strict+Site+Isolation+via+Speculative+Execution&rft.au=Agarwal%2C+Ayush&rft.au=O%27Connell%2C+Sioli&rft.au=Kim%2C+Jason&rft.au=Yehezkel%2C+Shaked&rft.date=2022-05-01&rft.pub=IEEE&rft.eissn=2375-1207&rft.spage=699&rft.epage=715&rft_id=info:doi/10.1109%2FSP46214.2022.9833711&rft.externalDocID=9833711