We just saw the disclosure of CVE-2017-575, dubbed “NetSpectre”. Although many side channel attacks have been shown over the past few quarters, this one is fundamentally different. Instead of the malicious code being run directly on the host system, it can be run remotely adding a new level of security danger.
About NetSpectre
Researchers from the Graz Institute of Technology published a paper called “NetSpectre: Read Arbitrary Memory over Network” that you can access here. From the paper:
In this paper, we present NetSpectre, a new attack based on Spectre variant 1, requiring no attacker-controlled code on the target device, thus affecting billions of devices. Similar to a local Spectre attack, our remote attack requires the presence of a Spectre gadget in the code of the target. We show that systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing to read arbitrary memory over the network. The attacker only sends
a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.
(Source: here)
This is a big deal. While many systems are perceived as safe from Spectre since they do not run JavaScript or untrusted code, a network attack changes this. An attacker can target a system that is available on a network without gaining local access to that system.
NetSpectre also does not use cache for the branch prediction attack. Instead, it uses an AVX side channel to deliver higher performance attack rates.
NetSpectre Good News: It is Slow
On the upside, NetSpectre is not what one would call fast. The standard attack rate yields about 15 bits of memory read per hour. Researchers have a higher performance AVX attack that quadruples this to about 60 bits per hour. At that rate, accessing large amounts of memory address space will still take a long time.
Final Words
NetSpectre is scary. Once a paper like this is released, a host of security researchers will attempt to increase the speed of the attack making it potentially more useful. Without the need to have physical access to the machine, this is nothing short of scary in the server space.
We want to applaud the team behind NetSpectre for practicing responsible disclosure. The team notified Intel on March 20, 2018, and agreed to a late July 2018 release date. This is much better than what we noted in New Bizarre AMD EPYC and Ryzen Vulnerability Disclosure which was not responsible disclosure. Great job team from Graz.
Even though these threats are all the rage these days I think there is a lot more hype to it, the attacks probably haven’t really been attempted outside of an academic context. From my experience, there is usually an easier way in – complacent or hamstrung IT departments that can’t or won’t apply patches, snowflakes abound in infrastructure running on outdated Software , employees opening any e-Mail attachment and clicking any Link, reliance on outdated Software that is perceived as “stable”.
These CPU Bugs are headline grabbing, but I wouldn’t say that for most the threat landscape hasn’t really changed given that many don’t get the basics right.
Well, it may be slow, but IMHO speed is enough for leaking private keys…