Upcoming Events

SCP Security Seminar

SCP Title Card

Speaker: Jason Kim, Ph.D. student

Title: Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution

Abstract: The discovery of the Spectre attack in 2018 has sent shockwaves through the computer industry, affecting processor vendors, OS providers, programming language developers, and more. Because web browsers execute untrusted code while potentially accessing sensitive information, they were considered prime targets for attacks and underwent significant changes to protect users from speculative execution attacks. 

We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages. We further show that Spectre adversely affects the security model of extensions in Chrome, demonstrating leaks of usernames and passwords from the LastPass password manager. Finally, we show that the problem also affects other Chromium-based browsers, such as Microsoft Edge and Brave.

Biography: Jason Kim is a second-year Ph.D. student advised by Prof. Daniel Genkin at Georgia Tech's School of Cybersecurity and Privacy. Jason's research lies at the intersection of side-channel attacks arising from CPU microarchitecture and how they can be exploited from web browsers. His ultimate goal is to harden web browsers against leaking secrets: billions of people browse the internet on a daily basis and handle sensitive or personal information on the web, yet browsers automatically execute untrusted code served from websites as soon as a user visits the site. Prior to Georgia Tech, Jason graduated from the University of Michigan in 2021 with a Bachelor's in Computer Science. He is an author and presenter of Spook.js, which was published at the 2022 IEEE Symposium on Security and Privacy.