"Your usual martini, Sir," said the bartender offering Bond a drink as he approached the bar. "Shaken, not stirred."

"No thank you," replied Bond, glancing down at his watch. "Today I'd prefer an Orange Juice."

The first week of 2018 saw the disclosure of two significant computer security flaws, affecting the vast majority of computers in the world^[1]. These flaws, named Meltdown and Spectre, exist in the Central Processing Units (or CPUs) produced by Intel, AMD and ARM, meaning that every computing device produced in the past decade and more contains these vulnerabilities.

In response, Tenta released an update to the Tenta Browser on January 5th, 2018 containing mitigations for the small portion of Tenta which was susceptible to these attacks. We've seen a lot of confusion around how these attacks work, what's affected and what users can do to secure themselves. This post attempts to clarify how the attacks work for the layperson^[2] and address commonly asked questions. Finally, for those so inclined, we'll provide specific technical details about how Tenta addressed these bugs. Although there are two distinct flaws (and at least three minor variations on the attacks), we'll focus on just the most prevalent, Spectre.

Explaining Spectre and How it Works

Spectre exists as a flaw in the physical hardware of the computer, specifically the CPU. The CPU is the core component of a computer, often compared to the brain, where the actual computations take place. Since modern CPUs are almost incomprehensibly complex, we'll start with an analogy^[3]. The original discoverers of these flaws named the more prevalent version Spectre, "As it is not easy to fix, it will haunt us for a long time." For us, however, it puts us in mind of the shadowy organization from the James Bond movies, with secret back doors everywhere. Plus, we're incapable of resisting the opportunity to write Bond fan-fic while explaining computer science.

Bond knows that his targets identify each other by way of a secret drink at a bar. In order to infiltrate their organization, he must either convince the bar to make him one, or figure out the ingredients to make one himself. Unfortunately, after many previous infiltrations, the Bartender will only make the secret drink for customers known to be agents of Spectre. Anyone else who orders the secret drink is immediately kicked out^[4]. The bar will serve any other drink (even just a single ingredient) to any customer. Bond cannot order the drink, and he cannot force the recipe out of the Bartender.

While observing the bar, Bond notices several curious routines. First of all, the Bartender has only limited space at the bar, so only a few ingredients can be used at a time. Whenever the Bartender requires an ingredient that's not already at the bar, a lengthy trip to the storage cabinet is required. Naturally, after some time the Bartender decided to always leave the ingredients from the previous drink on the bar. If an order comes in using those ingredients, it can be made very quickly, saving time overall. Secondly, the Bartender knows that VIP customers are impatient; although a secret drink cannot be served until the identity of the customer is confirmed, the Bartender can start making the drink as soon as a customer that normally gets the secret drink makes a reservation. When the customer finally arrives, and their identity is confirmed, the Bartender can immediately hand over the speculatively prepared drink. In the rare case that customer doesn't show up, or turns out to be a fraud, the prepared secret drink is simply discarded. On average, then, the important customers get their drink very quickly, and in the rare case of an impostor, little is wasted. Armed with just these facts, Bond devises a clever plan to steal the secret recipe. A plan so devious that it requires only his trusty watch to execute.

Bond waits until a target happens to order the secret drink^[5], to be sure that the Bartender will speculatively prepare one when the target next makes a reservation. Next, Bond makes a fake reservation in the name of the target. Bond waits until the appointed time of the fake reservation, knowing that the Bartender will prepare the secret drink in anticipation of the target's reservation. Immediately after the appointed time of the reservation, Bond orders a single ingredient from the Bartender (for example, a glass of orange juice, or a slice of lime), and then times how long it takes to arrive. If the single ingredient arrives quickly, then it must be sitting on the bar from the previous drink the Bartender made, and is thus an ingredient in the secret drink. If it takes a long time, then the Bartender must have had to fetch the ingredient from storage and so it's not an ingredient in the secret drink. Bond simply repeats this process until he's tried every relevant combination of ingredients, and eventually determines the secret recipe.

Despite layers of complexity and fiendish security, Bond steals the secret with nothing but a stopwatch.

To put our analogy into perspective, the Bartender is the CPU of your computer, the secret recipe is your secret data, and the owner of a stopwatch is the attacker. While the specific math gets complex, the key pieces of the Spectre attack are convincing the CPU to incorrectly speculatively perform a task for which it requires secret computer memory, and then read a different piece of non-secret computer memory. Even though the result of the secret execution is thrown out, the fact that some non-secret memory was promoted to the cache allows the attacker to determine details about the secret data. In our analogy, it would take months or years to perform the attack, but with the speed of modern computers, millions of such tests can be executed very quickly, meaning that data can be stolen in a matter of minutes.

Am I affected and what can I do about it?

Most likely the computer you are using is susceptible to this flaw. Ultimately, a permanent fix requires redesign of computer hardware. The good news is that in the meantime, software developers can prevent the sequence of events that leads to the attack in several ways. First they can avoid code that might lead to the sort of speculative computations which are exploitable. Secondly, if they must use such computations, they can insure that all cached data is cleared before anything else is allowed to run^[6]. In addition, in the absence of a high precision timer this attack is very difficult to achieve. All major operating system and web browser developers are rolling out these workarounds to ensure that these bugs cannot be exploited.

As a user, you should make sure your operating system is up to date. You can also follow the blogs of the companies powering the devices you are using such as Google and Apple to learn more about how they are fixing the problem. Lastly, as a long term strategy to minimize your risk against attacks like Spectre, start considering privacy-first apps such as Tenta.

Frequently Asked Questions

Q Was this a bug in Tenta?
A No. These vulnerabilities are hardware level vulnerabilities in popular chips and affect all browser and operating system developers.

Q Could this steal my Tenta PIN?
A No. The Tenta PIN is only used to unlock Tenta data before any browser session runs, and therefore the PIN is already deleted from memory long before this attack could be mounted.

Q Are there any working implementations of this attack in Tenta?
A No. We're not aware of any implementations of these attacks against Tenta.

Q Can data from a closed Zone be stolen?
A No. Even if a version of Tenta without these fixes were compromised, only data from the currently open tab, or a very recently opened tab in the same Zone would be vulnerable.

Details on the actions we've taken

Based on our investigation, Tenta was less susceptible to these vulnerabilities than our competitors because of our design and engineering decisions. In particular, given our concept of Zones of data and the fact that we aggressively encrypt sensitive data whenever a Zone becomes inactive, we believe that in most cases only already encrypted data could be stolen from Tenta. We have never enabled SharedArrayBuffer by default, one of the features used to mount the attack against some browsers.

Even though Tenta already has a small attack surface, we've worked hard to implement several mitigations:

- SharedArrayBuffer cannot be enabled in Tenta - The performance.now() high resolution timer has been degraded to a granularity of 20 microseconds

Furthermore, going forward we're following the work being done in the browser community to ensure that JavaScript JITs don't generate vulnerable code. In addition, we'll be doing future work to further secure our Zone mechanism and reduce the attack surface.

---

Share this post