NetSpectre: A Remote Spectre Attack Without Attacker-Controlled Code on the Victim

Discussion in 'HardForum Tech News' started by cageymaru, Jul 26, 2018.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,814
    Joined:
    Apr 10, 2003
    Remember our coverage of Spectre? Well researchers at the Graz University of Technology have a working model of how to read arbitrary memory over a network called NetSpectre. NetSpectre attacks have been shown to work over LAN and Google Cloud. The computers being attacked do not need to run attacker-controlled code at all. Luckily, the speed of the attack is currently limited to 60 bits per hour, but better tools might be on the way as researchers and others discover new ways to exploit the weaknesses. Intel was notified of the exploit on March 20th, 2018 and agreed to the disclosure date in July 2018.

    Instead, we present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud. NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all.
     
  2. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,814
    Joined:
    Apr 10, 2003
    It was nice of the researchers to wait until after Intel released their financial results.
     
    katanaD likes this.
  3. alxlwson

    alxlwson You Know Where I Live

    Messages:
    6,263
    Joined:
    Aug 25, 2013
  4. thecold

    thecold Limp Gawd

    Messages:
    303
    Joined:
    Nov 12, 2017
    wohoo 525 kb per year.
     
    azuza001 and auntjemima like this.
  5. viper1152012

    viper1152012 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Jun 20, 2012
    *wraps tinfoil around modem.

    Well back to this paranoia
     
    auntjemima likes this.
  6. alxlwson

    alxlwson You Know Where I Live

    Messages:
    6,263
    Joined:
    Aug 25, 2013

    65.7KB
     
    Last edited: Jul 26, 2018
  7. Nobu

    Nobu 2[H]4U

    Messages:
    3,231
    Joined:
    Jun 7, 2007
    ~66KB (525960b/8b/B = 65745B, 65745B/1000B/KB =~ 66KB,)
    Or 64KiB
     
  8. alxlwson

    alxlwson You Know Where I Live

    Messages:
    6,263
    Joined:
    Aug 25, 2013
    Yes, forgot my decimal point.
     
  9. Banko

    Banko Gawd

    Messages:
    991
    Joined:
    Jul 9, 2004
    Based on my understanding of that paper the attacker still needs access to the machine.

    All they did was show that you can figure out what is a cache hit/miss using network latency as well.
     
  10. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    or.. maybe they were playing it smart. let intel release their results, stocks go up. They then short intel.. and release this news..

    ;)
     
    cageymaru likes this.
  11. PaulP

    PaulP Gawd

    Messages:
    776
    Joined:
    Oct 31, 2016
    Just network access; they use gadgets inside the OS network layer to help them target a specific bit in memory. Then using statistical analysis of network latency they can determine cache hit/miss, which is how bits are leaked via Spectre. Very clever and more than enough bits/day to steal encryption keys and such.