NetSpectre: A Remote Spectre Attack Without Attacker-Controlled Code on the Victim

[cageymaru]

Remember our coverage of Spectre? Well researchers at the Graz University of Technology have a working model of how to read arbitrary memory over a network called NetSpectre. NetSpectre attacks have been shown to work over LAN and Google Cloud. The computers being attacked do not need to run attacker-controlled code at all. Luckily, the speed of the attack is currently limited to 60 bits per hour, but better tools might be on the way as researchers and others discover new ways to exploit the weaknesses. Intel was notified of the exploit on March 20th, 2018 and agreed to the disclosure date in July 2018.

Instead, we present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud. NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all.

 

[cageymaru]

It was nice of the researchers to wait until after Intel released their financial results.

 

[alxlwson]

60 bits.... Per hour.

 

[thecold]

60 bits.... Per hour.

wohoo 525 kb per year.

 

[viper1152012]

*wraps tinfoil around modem.

Well back to this paranoia

 

[alxlwson]

wohoo 525 kb per year.

65.7KB

 

[Nobu]

657kb

~66KB (525960b/8b/B = 65745B, 65745B/1000B/KB =~ 66KB,)
Or 64KiB

 

[alxlwson]

~66KB (525960b/8b/B = 65745B, 65745B/1000B/KB =~ 66KB,)
Or 64KiB

Yes, forgot my decimal point.

 

[Banko]

Based on my understanding of that paper the attacker still needs access to the machine.

All they did was show that you can figure out what is a cache hit/miss using network latency as well.

 

[katanaD]

It was nice of the researchers to wait until after Intel released their financial results.

or.. maybe they were playing it smart. let intel release their results, stocks go up. They then short intel.. and release this news..

 

[PaulP]

Based on my understanding of that paper the attacker still needs access to the machine.

All they did was show that you can figure out what is a cache hit/miss using network latency as well.

Just network access; they use gadgets inside the OS network layer to help them target a specific bit in memory. Then using statistical analysis of network latency they can determine cache hit/miss, which is how bits are leaked via Spectre. Very clever and more than enough bits/day to steal encryption keys and such.