*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Pradyumna Shome, Ph.D. Student
pradyumna.shome@gatech.edu
Summary Sentence: Join us for a student led seminar series about today's security issues
Full Summary: No summary paragraph submitted.
SCP Title CardSpeaker: Jason Kim, Ph.D. student
Title: Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution
Abstract: The discovery of the Spectre attack in 2018 has sent shockwaves through the computer industry, affecting processor vendors, OS providers, programming language developers, and more. Because web browsers execute untrusted code while potentially accessing sensitive information, they were considered prime targets for attacks and underwent significant changes to protect users from speculative execution attacks.
We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages. We further show that Spectre adversely affects the security model of extensions in Chrome, demonstrating leaks of usernames and passwords from the LastPass password manager. Finally, we show that the problem also affects other Chromium-based browsers, such as Microsoft Edge and Brave.
Biography: Jason Kim is a second-year Ph.D. student advised by Prof. Daniel Genkin at Georgia Tech's School of Cybersecurity and Privacy. Jason's research lies at the intersection of side-channel attacks arising from CPU microarchitecture and how they can be exploited from web browsers. His ultimate goal is to harden web browsers against leaking secrets: billions of people browse the internet on a daily basis and handle sensitive or personal information on the web, yet browsers automatically execute untrusted code served from websites as soon as a user visits the site. Prior to Georgia Tech, Jason graduated from the University of Michigan in 2021 with a Bachelor's in Computer Science. He is an author and presenter of Spook.js, which was published at the 2022 IEEE Symposium on Security and Privacy.
