undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointsem3rgent0rdr8y ago0 comments

HTML is code too. Just write the right sequence of HTML that will train the branch predictor to speculative jump to some address in the HTML representing malicious machine code.

0 comments

6 comments · 2 top-level

krapp8y ago· 4 in thread

This may be a dumb question but how would one get branch prediction from HTML if HTML doesn't have conditional statements? There shouldn't be any branches to predict.

em3rgent0rdrOP8y ago

The browser's html engine will still do conditional jumps based on the HTML. One attack [1]:

"Decompressors, especially in HTTP(S) stacks. Data decompression inherently involves a large number of steps of "look up X in a table to get the length of a symbol, then adjust pointers and perform more memory accesses" — exactly the sort of behaviour which can leak information via cache side channels if a branch mispredict results in X being speculatively looked up in the wrong table. Add attacker-controlled inputs to HTTP stacks and the fact that services speaking HTTP are often required to perform request authentication and/or include TLS stacks, and you have all the conditions needed for sensitive information to be leaked."

[1] http://www.daemonology.net/blog/2018-01-17-some-thoughts-on-...

There are plenty of conditionals in the rendering engine of a browser, especially with regards to managing layout.

AnimalMuppet8y ago

That would be a browser-specific exploit, though. In fact, it might be specific to the exact build of the browser.

krapp8y ago

Fair enough.

Even if that were feasible (I doubt it is in practice), how do you do the timing analysis and send the results somewhere?

j / k navigate · click thread line to collapse