A recent white paper released by researchers at the Graz University of Technology in Austria reveals a new attack called NetSpectre. Unlike the internet-based Spectre attack that requires a hacker to run code locally on the target PC, this version can steal data from the target PC’s memory without running any local code.
The basic method of attack is nothing new. It’s based on how a CPU speculates where its current processing path will go. A chunk of its speed stems from how it can think ahead and test different routes (branches) to determine the quickest avenue to completion. While it’s testing these routes, the chip stores data in its local cache in an unprotected way.
Unfortunately, this is a problem that resides in all modern processors. In most cases, data can only be stolen if a hacker has physical access to the target PC to run malicious code. Hackers can also attack PCs remotely by running malicious JavaScript on their websites that you download as browser cache.
But with NetSpectre, there’s nothing to download. Instead, the attacker bombards the network ports of a target PC with malicious code. The good news is that this method takes an extremely long time to extract data from memory due to the noisy environment of the internet. For instance, one method directly targets the CPU’s cache at 15 bits per hour, while another method targets a specific module (AVX2) at 60 bits per hour.
Of course, hackers don’t want everything stored in memory: They want the juicy bits. In addition to the slow data leak, they must sift through the garbage to pull out valuable, privileged items. Finding an encryption key in the slow data flow could take days versus accessing the same key by running malicious code locally on the target PC.
According to the paper, the NetSpectre attack consists of two components. The first is a leak gadget that pulls one or multiple bytes of data from memory, although single-bit gadgets are “most versatile.” The second component is the transmit gadget that makes the CPU’s state visible over the network, so the hacker can retrieve the data.
Hackers carry out the attack in four stages. First, they send the leak gadget to “mis-train” the processor’s predictive capability and then reset the environment to enable the encoding of leaked bits. After that, hackers exploit the Spectre Variant 1 vulnerability to leak data and use the transmit gadget to deliver the goods.
“As the network latency varies, the four steps have to be repeated multiple times to eliminate the noise caused by these fluctuations,” the report states. “Typically, the variance in latency follows a certain distribution depending on multiple factors, such as distance, number of hops, network congestion.”
But don’t worry, because this isn’t a vulnerability that requires a new patch. According to Intel, it’s mitigated through the same techniques used to patch Meltdown and the two Spectre variants: code inspection and modification of software. That places a speculation stopping barrier where appropriate.
“We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method,” Intel says. “We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.”
Updated July 27, 2018 to reflect Intel’s response.
