AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Spectre meltdown apple12/31/2023 ![]() ![]() Most discussions about Spectre have involved bounds checks, so this section considers that case as well. To understand how Spectre works, it’s useful to think about how security-sensitive programming language operations (like any property access in JavaScript) get executed in JavaScriptCore on a modern processor. Hence, Spectre is not just an attack on JavaScriptCore itself but also everything that is callable from JavaScript. Spectre breaks this property of JavaScriptCore because untrusted JavaScript or WebAssembly now has a theoretical path to reading all of the host process’s address space.ĭOM APIs and system APIs called by DOM APIs also use branches to enforce their security properties, and those are callable from JavaScript. It should be possible to load untrusted JavaScript or WebAssembly code into your process without the risk of your process’s memory being leaked to the JavaScript code except in cases where you explicitly export data to JavaScript via our C or Objective-C binding API. JavaScriptCore is meant to be a secure language virtual machine. For example, if some type contains an integer at offset 8 while another type contains a pointer at offset 8, then an attacker could use Spectre to bypass the type check that is supposed to ensure that you can’t use the integer to craft an arbitrary pointer. This could allow an attacker to read arbitrary memory. Almost all bounds checks can be bypassed to read arbitrarily out-of-bounds. The most impacted subsystem is JavaScriptCore (WebKit’s JavaScript engine). ![]() Spectre means that branches are no longer sufficient for enforcing the security properties of read operations in WebKit. ![]() Safari 11.0.2 for El Capitan and Sierra.You can check if your Safari and WebKit are patched by verifying the full version number in About Safari. High Sierra 10.13.2 Supplemental Update.The first of these mitigations shipped on Jan 8, 2018: This document explains how Spectre and Meltdown affect existing WebKit security mechanisms and what short-term and long-term fixes WebKit is deploying to provide protection against this new class of attacks. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties. WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do.Meltdown impacts WebKit because WebKit’s security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor. To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. These issues apply to all modern processors and allow attackers to gain read access to parts of memory that were meant to be secret. ![]() Security researchers have recently uncovered security issues known as Meltdown and Spectre. ![]()
0 Comments
Read More
Leave a Reply. |