After the recent SpectreRSB attack on Intel, AMD, and ARM CPUs, a group of security researchers have found a new Spectre variant in town codenamed NetSpectre. They have recorded this latest Spectre in their paper, “NetSpectre:Read arbitrary memory over Network”
As per the researchers, the specialty of NetSpectre is, it can be launched over the network without requiring the attacker to host the code on a targeted machine. This new Spectre attack is a new remote side-channel attack, which is related to Spectre variant 1.
We present NetSpectre: A remote Spectre attack without attacker-controlled code on the victim, and the first Spectre attack which works without the cache as covert channel. https://t.co/qEJ2YMROAh /cc @lavados @mlqxyz pic.twitter.com/5T1VzZDvOJ
— Michael Schwarz (@misc0110) July 26, 2018
What does NetSpectre attack do?
The new Spectre attack exploits speculative execution to perform bounds-check bypass and can be further used to destroy address-space layout randomization on the remote system.
This issue further allows the attacker to write and execute malicious code that extracts data from the previously secured CPU memory. This memory could include sensitive information such as passwords, cryptographic keys, and much more.
The researchers have demonstrated the NetSpectre attack using the AVX-based covert channel. This approach allowed them to capture data at a speed of 60 bits per hour from the target system. Researchers said, “Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.”
The remote attacker need to simply send a series of request packets to the target machine and measure the response time to leak a secret value from the machine’s memory.
Researchers said, “We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud.”
How to be safe?
If one has updated their code and applications to mitigate previous Spectre exploits they do not have to worry about the ‘NetSpectre’ attack.
Researchers have mentioned state-of-the-art and network-layer countermeasures for NetSpectre in their paper. However, they state, “as attackers can adapt and improve attacks, it is not safe to assume that noise levels and monitoring thresholds chosen now will still be valid in the near future.”
Also recently, Intel paid $100,000 bug bounty to a team of researchers to find and report new processor vulnerabilities. These newfound Spectre variants were also related to Spectre variant 1.
Following this, Intel has included information related to the NetSpectre attack in its updated white paper, ‘Analyzing potential bounds check bypass vulnerabilities’
Read more about the NetSpectre attack in the whitepaper.
SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets
Intel’s Spectre variant 4 patch impacts CPU performance