Lowering JavaScript Timer Resolution Thwarts Meltdown and Spectre

The computer security vulnerabilities Meltdown and Spectre can infer protected information based on subtle differences in hardware behavior. It takes less time to access data that has been cached versus data that needs to be retrieved from memory, and precisely measuring time difference is a critical part of these attacks.

Our web browsers present a huge potential surface for attack as JavaScript is ubiquitous on the modern web. Executing JavaScript code will definitely involve the processor cache and a high-resolution timer is accessible via browser performance API.

Web browsers can’t change processor cache behavior, but they could take away malicious code’s ability to exploit them. Browser makers are intentionally degrading time measurement capability in the API to make attacks more difficult. These changes are being rolled out for Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. Apple has announced Safari updates in the near future that is likely to follow suit.

After these changes, the time stamp returned by performance.now will be less precise due to lower resolution. Some browsers are going a step further and degrade the accuracy by adding a random jitter. There will also be degradation or outright disabling of other features that can be used to infer data, such as SharedArrayBuffer.

These changes will have no impact for vast majority of users. The performance API are used by developers to debug sluggish code, the actual run speed is unaffected. Other features like SharedArrayBuffer are relatively new and their absence would go largely unnoticed. Unfortunately, web developers will have a harder time tracking down slow code under these changes.

Browser makers are calling this a temporary measure for now, but we won’t be surprised if they become permanent. It is a relatively simple change that blunts the immediate impact of Meltdown/Spectre and it would also mitigate yet-to-be-discovered timing attacks of the future. If browser makers offer a “debug mode” to restore high precision timers, developers could activate it just for their performance tuning work and everyone should be happy.

This is just one part of the shock wave Meltdown/Spectre has sent through the computer industry. We have broader coverage of the issue here.

Programmable Christmas Tree is a JavaScript Interpreter

Here at Hackaday, we find Christmas time very exciting because it means an influx of holiday-themed hacks that really help us get into the festive mood. [Andrew’s] programmable Christmas tree hosted at HackMyXmas is certainly one of our favorites. The project consists of a 500 RGB LEDs wrapped around a typical Christmas tree and controlled by a Teensy.  However, not settling for the typical, simple and cyclical pattern for the LEDs, [Andrew] decided the tree had to be programmable of course! So, a single board computer (a C.H.I.P) running Linux was used to provide a Wifi connection and a web server to easily program the tree.

This is where things get very interesting. The C.H.I.P board hosts a comprehensive website that conveniently gives you the option to program the LEDs using either, Scratch like draggable blocks (using Googles Blockly) or even pure JavaScript. Once the perfect pattern is conceived, you can test run it on the online simulator or even send it off straight to the Tree, watching it blink in all its glory on the provided live stream.

We applaud [Andrew] mammoth effort for invoking programming in such a fun way! You can check out the live stream of [Andrew]’s Christmas tree below.

Continue reading “Programmable Christmas Tree is a JavaScript Interpreter”

Arduino Saves Gameboy Camera

[Brian Khuu] bought a few Gameboy cameras on the Internet and found that they still had pictures on them from a previous owner. The memory in the camera has a backup battery and if that battery dies, the pictures are history. [Brian] bravely decided to extract the pictures to a PC. He knew the protocol for how the Gameboy talked to the companion pocket printer was available, so he used an Arduino and a Web browser to extract the photos. The resulting code is on GitHub if you want to save your pictures.

Although Brian didn’t have to crack the protocol, he does offer a good explanation of it. There’s even some sniffed displays. The Arduino does all the communications and fools the game into thinking it is the companion printer. However, it simply streams the data out and a Javascript decoder handles the actual decoding. In fact, in the blog post, you can enter data, click a button, and see the resulting Gameboy picture.

Continue reading “Arduino Saves Gameboy Camera”

Mechanical Build Lets You Jump Cacti in Real Life

Simple to learn, hard to master, a lifetime to kick the habit. This applies to a lot of computer games, but the T-rex Runner game for Chrome and its various online versions are particularly insidious. So much so that the game drove one couple to build a real-world version of the digital game.

For those not familiar with the game, it’s a simple side-scroller where the goal is to jump and duck a running dinosaur over and under obstacles — think Flappy Birds, but faster paced. When deciding on a weekend hackathon project, [Uri] thought a real-life version of the game would be a natural fit, since he was already a fan of the digital version. With his girlfriend [Ariella] on the team, [Uri] was able to come up with a minimally playable version of the game, with a stepper motor providing the dino jumps and a simple straight conveyor moving the obstacles. People enjoyed it enough that version 2.0 was planned for the Chrome Developer Summit. This version was much more playable, with an oval track for the obstacles and better scorekeeping. [Uri] and [Ariella] had to expand their skills to complete the build — PCB design, E-Paper displays, laser cutting, and even metal casting were all required. The video below shows the final version — but where are the pterosaurs to duck?

Real-world jumping dinos aren’t the first physical manifestation of a digital game. As in the cyber world, Pong was first — either as an arcade version or a supersized outdoor game.

Continue reading “Mechanical Build Lets You Jump Cacti in Real Life”

NodeConf EU Hackable Badge

During conferences, a name-tag is one of the first things people look at when bumping in to others – mentally trying to keep track of faces and names. But gone are the days when your name tag was a post-it stuck on your arm. Over the years, conference badges have become increasingly interesting and complex. Hackable electronic badges are becoming the norm, and not just at hardware cons. For the recently concluded NodeConfEU conference in Ireland, [Gordon Williams], of Espruino fame, designed a JavaScript centric hackable badge.

NodeConf EU is the key Node.js event in Europe, providing a forum for the Node.js community. So when they brain-stormed ideas for a conference badge, they obviously gravitated towards a design that could run JS. [Gordon]’s Puck.js fit the requirements perfectly, and he was tasked with creating a new design based on the Puck.js. The feature list included BlueTooth Low Energy, low power consumption so it could run off a CR2032 battery, a high contrast LCD, some buttons, NFC, and a prototyping area – all packaged in a beautiful hexagonal shaped PCB (obviously) to resemble the Node.js logo. The badges were programmed with attendee names, but the fun, juicy part could be accessed by pressing buttons in the Konami code sequence.

Easy to follow, detailed documentation helped hackers quickly get started with code examples. They were also presented several challenges to work through allowing them to get familiar with the badge. Hacked badges were entered for a Grand Challenge with a chance to win a free ticket to next years conference. The badge hardware and firmware are open source and source files are hosted in a Github repository. Check out a short overview of the badge in the video after the break.

Thanks to [Conor] from nearForm for letting us know about this awesome badge.

Continue reading “NodeConf EU Hackable Badge”

Have Some Candy While I Steal Your Cycles

Distributed computing is an excellent idea. We have a huge network of computers, many of them always on, why not take advantage of that when the user isn’t? The application that probably comes to mind is Folding@home, which lets you donate your unused computer time to help crunch the numbers for disease research. Everyone wins!

But what if your CPU cycles are being used for profit without your knowledge? Over the weekend this turned out to be the case with Showtime on-demand sites which mined Monero coins while the users was pacified by video playback. The video is a sweet treat while the cost of your electric bill is nudged up ever so slightly.

It’s an interesting hack as even if the user notices the CPU maxing out they’ll likely dismiss it as the horsepower necessary to decode the HD video stream. In this case, both Showtime and the web analytics company whose Javascript contained the mining software denied responsibility. But earlier this month Pirate Bay was found to be voluntarily testing out in-browser mining as a way to make up for dwindling ad revenue.

This is a clever tactic, but comes perilously close to being malicious when done without the user’s permission or knowledge. We wonder if those ubiquitous warnings about cookie usage will at times include notifications about currency mining on the side? Have you seen or tried out any of this Javascript mining? Let us know in the comments below.

Friday Hack Chat: JavaScript on Microcontrollers

Microcontrollers today are much more powerful and much more capable than the 8051s from back in the day. Now, they have awesome peripherals and USB device interfaces. It’s about time a slightly more modern language was used to program these little chips.

During this Friday’s Hack Chat, we’re going to be talking about JavaScript on microcontrollers. [Gordon Williams] will be joining us to talk about Espruino. This is a tiny JavaScript interpreter that runs on the little embedded chips, has a debug interface, and allows you to program your board on any platform without any external programming hardware.

[Gordon] is the key developer of Espruino, and so far he’s launched a full-sized Espruino, and a pico Espruino on Kickstarter, both with amazing success. The software stack has been extremely popular as well — it’s been ported to the ESP8266 and dozens of other microcontrollers that will soon be in the Internet of Things.

During the Hack Chat, we’ll be discussing interpreted languages on microcontrollers, interpreter design and optimization, with a special emphasis on creating devices with Espruino and putting Espruino boards on the Internet with WiFi, Bluetooth, and other crazy radios. As always, we have a spreadsheet open to everyone if you’d like to ask a question.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. Hack Chats are mostly, usually, and this week noon, Pacific time on Friday. Here’s a time and date converter!

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.