NetSpectre: A Remote Spectre Attack Without Attacker-Controlled Code on the Victim

Remember our coverage of Spectre? Well researchers at the Graz University of Technology have a working model of how to read arbitrary memory over a network called NetSpectre. NetSpectre attacks have been shown to work over LAN and Google Cloud. The computers being attacked do not need to run attacker-controlled code at all. Luckily, the speed of the attack is currently limited to 60 bits per hour, but better tools might be on the way as researchers and others discover new ways to exploit the weaknesses. Intel was notified of the exploit on March 20th, 2018 and agreed to the disclosure date in July 2018.

Instead, we present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud. NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all.

 

It was nice of the researchers to wait until after Intel released their financial results.