Jump to content
Nytro

NetSpectre: Read Arbitrary Memory over Network

Recommended Posts

Michael Schwarz

Graz University of Technology

Martin Schwarzl

Graz University of Technology

Moritz Lipp

Graz University of Technology

Daniel Gruss

Graz University of Technology

 

ABSTRACT


Speculative execution is a crucial cornerstone to the performance
of modern processors. During speculative execution, the processor
may perform operations the program usually would not perform.
While the architectural effects and results of such operations are
discarded if the speculative execution is aborted, microarchitectural
side effects may remain. The recently published Spectre attacks
exploit these side effects to read memory contents of other programs.
However, Spectre attacks require some form of local code execution
on the target system. Hence, systems where an attacker cannot run
any code at all were, until now, thought to be safe.
In this paper, we present NetSpectre, a generic remote Spectre
variant 1 attack. For this purpose, we demonstrate the first access-
driven remote Evict+Reload cache attack over network, leaking
15 bits per hour. Beyond retrofitting existing attacks to a network
scenario, we also demonstrate the first Spectre attack which does
not use a cache covert channel. Instead, we present a novel high-
performance AVX-based covert channel that we use in our cache-
free Spectre attack. We show that in particular remote Spectre
attacks perform significantly better with the AVX-based covert
channel, leaking 60 bits per hour from the target system. We verified
that our NetSpectre attacks work in local-area networks as well as
between virtual machines in the Google cloud.
NetSpectre marks a paradigm shift from local attacks, to remote
attacks, exposing a much wider range and larger number of devices
to Spectre attacks. Spectre attacks now must also be considered
on devices which do not run any potentially attacker-controlled
code at all. We show that especially in this remote scenario, attacks
based on weaker gadgets which do not leak actual data, are still very
powerful to break address-space layout randomization remotely.
Several of the Spectre gadgets we discuss are more versatile than
anticipated. In particular, value-thresholding is a technique we
devise, which leaks a secret value without the typical bit selection
mechanisms. We outline challenges for future research on Spectre
attacks and Spectre mitigations

 

Download: https://misc0110.net/web/files/netspectre.pdf

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...