2

A new attack was revealed in a document titled NetSpectre: Read Arbitrary Memory over Network (PDF warning). I've seen a few non-technical writeups about the fact that it's a pretty slow attack:

The biggest [downside] is the attack's woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU's cache.

Academics achieved higher exfiltration speeds —of up to 60 bits/hour— with a variation of NetSpectre that targeted data processed via a CPU's AVX2 module, specific to Intel CPUs.

Bleeping Computer

It seems to be using the same flaw as the original Spectre:

Dubbed "NetSpectre," the new remote side-channel attack, which is related to Spectre variant 1, abuses speculative execution to perform bounds-check bypass and can be used to defeat address-space layout randomization on the remote system.

The Hacker News

What is it and how does it work?

Community
  • 1
isanae
  • 145
  • 5

1 Answers1

2

Q: What is it?

A: A generic remote Spectre variant 1 attack.

Q: How does it work?

A: The building blocks of a NetSpectre attack are two NetSpectre gadgets: a leak gadget, and a transmit gadget.

Spectre attacks induce a victim to speculatively perform operations that would not occur during strictly serialized in-order processing of the program’s instructions, and which leak a victim’s confidential information via a covert channel to an attacker. Spectre variant 1 induces speculative execution in the victim by mistraining a conditional branch, e.g., a bounds check.

Although the attack can utilize any Spectre variant, they focus on Spectre variant 1 as it is the most widespread. Moreover, according to Intel, in contrast to Meltdown and Spectre variant 2, variant 1 will not be fixed in hardware for the upcoming CPU generation

In contrast to local Spectre attacks, the NetSpectre attack is not split into two phases. Instead, the attacker constantly performs operations to mistrain the processor, which will make it constantly run into exploitably erroneous speculative execution. NetSpectre does not mistrain across process boundaries, but instead trains in-place by passing valid and invalid values alternatingly to the exposed interface, e.g., valid and invalid network packets.

For the NetSpectre attack, the attacker requires two Spectre gadgets, which are executed if a network packet is received: a leak gadget, and a transmit gadget. The leak gadget accesses a bit stream at an attacker-controlled index, and changes some microarchitectural state depending on the state of the accessed bit. The transmit gadget performs an arbitrary operation where the runtime depends on the microarchitectural state modified by the leak gadget.

Hidden in a significant amount of noise, the attacker can observe this timing difference in the network packet response time.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Angelo Schilling
  • 711
  • 3
  • 11
  • 1
    It might be useful to point out that no NetSpectre have been identified. The vulnerability was only shown to occur with a specially-designed kernel driver that was intentionally made to process data insecurely. That doesn't mean that no gadgets exist, just that, if they do, they are very uncommon. – forest Dec 26 '18 at 00:27