Exploits in C/C++ to compiled JavaScript / WebAssembly

The Meltdown and Spectre vulnerabilities in modern CPUs from Intel/AMD/ARM revealed surprising attack vectors in computing. Everything from low level Operating System Kernel components to JavaScript running in Billions of browsers could be exploited by using Spectre variants 1 and 2.

Many thought that it would be difficult to exploit Meltdown and Spectre with JavaScript. The researchers who reported the Spectre vulnerability showed an example exploit for JavaScript that proved that users could be attacked through the sandbox of the browser.

The browser sandbox has been a very safe environment to develop for. Since the early days of the web access to low level resources has been a no-no in the world of web browser development. There were some proprietary technologies like ActiveX from Microsoft, Flash from Adobe and Java applets from Sun/Oracle that had serious vulnerabilities.

The vulnerabilities in these plugins were due to them running outside of the browsers sandbox. The layer of safety was gone and the plugin developers were responsible for security enforcement (on top of the Operating System level, naturally).

Exploits written in C can be compiled to JavaScript or WebAssembly

With browsers becoming increasingly sophisticated application platforms there is a real danger that security vulnerabilities will escalate. Modern JavaScript frameworks continue to be vulnerable to XSS (Cross Site Scripting) attacks, made even more complicated to develop and harden with Universal JavaScript apps where the same code runs in the server and the client.

In addition to this type of classic issues, we already we are seeing new types of attacks on the web. Stealing users computing power to mine cryptocurrencies like Bitcoin with JavaScript is already widespread in the browser space. This is made possible by accessing the CPU and GPU resources of the computing platform, a low level but a relatively contained and harmless form of abuse through the web.

One of the most interesting areas in web development is the arrival of WebAssembly. This technology enables writing apps in any language to target the browser as a runtime. Some will use C, C++, Java and developers can even reuse their JavaScript skills and toolchain experience by compiling TypeScript to WebAssembly.

Spectre exploit in 70 lines of C that can be compiled to JS or Wasm

These technologies open up incredible possibilities unthinkable just ten years ago. Running old computer games and even Operating Systems like Windows 95 in browsers by setting the browser to be the compilation target is already being done. Someone will eventually even create a Flash plugin to allow running Adobe Flash in contemporary browsers without the plugin.

This also opens up a world of possibilities for malicious parties. Low level vulnerabilities like Meltdown and Spectre can have unprecedented distribution through the web ecosystem. Simply visiting a website or a web application could compromise your laptop or smartphone at a level unheard of before.

In addition the breadth of techniques that can be used against browsers will expand and likely an existing set of attack methods can now be deployed via WebAssembly or JavaScript. A practical example of such a bridge from low level to the very top is an example where 70 lines of C code exploiting Spectre can be compiled to JavaScript / Wasm:

In this demo, we will dump user data without reading it. If you translate the code into Javascript, you could dump IE browser data.

- https://github.com/idea4good/spectre

This example from GitHub user idea4good is available publicly and is a perfect example of how the added capabilities add new risks. Not only can you target macOS, Windows and Linux Operating Systems with this, but you can easily reach the billions of mobile devices running Android and iOS.

With great power comes great responsibility (sigh).