Jump to content

I just became a lot less worried about CPU side-channel attacks


Recommended Posts

CPU side-channel vulnerabilities have put the fear of god into us recently, with what seem like near constant reports of more and more newly discovered CPU vulnerabilities in modern microprocessors (especially those manufactured by Intel; though AMD chips are not immune from all of them), and while Intel, AMD and Microsoft have rolled out multiple patches and CPU microcode updates, none of them have fully addressed all of these vulnerabilities; they've only reduced the attack surface or made exploiting them more difficult.  Intel has worked to build hardware mitigations into its more recent chips, however that does nothing for the millions of systems running past generation CPUs which cannot be made fully immune to these attacks.

Well, I just so happened to stumble across information about someone actually doing something about it, and while it isn't exactly bullet-proof, it does go a long way to mitigate the single most likely attack vector that the bad guys would likely use to attempt to infiltrate a system with these vulnerabilities: the web browser, namely Chrome.

These researchers wrote a browser extension for Chrome called Chrome Zero which guards against all 11 known side-channel JavaScript attacks which can be used by the bad guys to initiate a side-channel attack.  They prevent the bad guys from using malicious JavaScript in a webpage to gather key information from your system and CPU to be able to successfully execute a side-channel exploit/attack, securing Chrome (or any compatible Chromium based browser; I'm using it on SRWare Iron personally) against these threats.

Please note that the researchers do warn that this extension is not for use in a production environment, however they welcome anyone to develop a fully functional extension implementing all the features of their browser extension to block these nasty attacks; the following is quoted from their GitHub page located here:

Disclaimer: This is a research project and not meant to be used in production. We would be happy if someone would build a fully functional extension implementing all features of JavaScript Zero.

You can read more about this project on their GitHub page linked above (there's also a PDF providing further details available there) as well as the original BleepingComputer article where I initially discovered this awesome extension here.

I wonder if Malwarebytes would consider implementing these features in their own browser extension which is currently in beta?  It sure would go nicely with that extensions existing capabilities, not to mention augmenting the already awesome protection in their Exploit Protection component in Malwarebytes Premium.  I might just recommend to them that they do so ;).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.