The “Spectre” family of vulnerability, an exploitation of the speculative execution features of modern processors (mostly Intel), was scary enough. Up until now, running malware that implements Spectre needed one to run the program on a local machine. Running it remotely was limited to well-crafted JavaScript executed on the victim’s machine, or cloud hosts made to process infected files.
This is about to change. Security researchers from Graz University of Technology, including one of the discoverers of the “Meltdown” vulnerability, Daniel Gruss; have discovered NetSpectre, a fully network-based exploit that can let attackers read the memory of a remote machine without executing any program on that machine.
NetSpectre works by deriving bits and bytes from the memory based on measurements of the time the processor to succeed or recover from failure in speculative execution. As a processor is executing code, it speculates what the next instruction or data is, and stores their outcomes beforehand.
A successful “guess” is rewarded with tangible performance benefits, while an unsuccessful guess is penalized with having to repeat the step. By measuring the precise time it takes for the processor to perform either (respond to success or failure in speculative execution), the contents of the memory can be inferred.
It’s a slow and tedious process, though; and attackers use the victim machine’s own inconspicuous networked applications to make the measurements. It takes 100,000 measurements to derive the value of a single bit, on average 30 minutes to derive a byte, and if the code is using the AVX2 register (i.e. measuring the time it takes for the processor to fire up or power down the register in response to load from the networked application), takes about 8 minutes to derive a byte. At this rate, it would take about 15 years to make out 1 MB of data; but if all you need is to derive a few bytes long cryptographic key and know exactly where to look for it, an attack can succeed in a tangible amount of time.
Intel downplayed NetSpectre. In a statement, the company said:
NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.
