Friday, July 27th 2018
Insidious New "NetSpectre" Vulnerability Can Be Exploited Over Network
The "Spectre" family of vulnerability, an exploitation of the speculative execution features of modern processors (mostly Intel), was scary enough. Up until now, running malware that implements Spectre needed one to run the program on a local machine. Running it remotely was limited to well-crafted JavaScript executed on the victim's machine, or cloud hosts made to process infected files. This is about to change. Security researchers from Graz University of Technology, including one of the discoverers of the "Meltdown" vulnerability, Daniel Gruss; have discovered NetSpectre, a fully network-based exploit that can let attackers read the memory of a remote machine without executing any program on that machine.
NetSpectre works by deriving bits and bytes from the memory based on measurements of the time the processor to succeed or recover from failure in speculative execution. As a processor is executing code, it speculates what the next instruction or data is, and stores their outcomes beforehand. A successful "guess" is rewarded with tangible performance benefits, while an unsuccessful guess is penalized with having to repeat the step. By measuring the precise time it takes for the processor to perform either (respond to success or failure in speculative execution), the contents of the memory can be inferred.
It's a slow and tedious process, though; and attackers use the victim machine's own inconspicuous networked applications to make the measurements. It takes 100,000 measurements to derive the value of a single bit, on average 30 minutes to derive a byte, and if the code is using the AVX2 register (i.e. measuring the time it takes for the processor to fire up or power down the register in response to load from the networked application), takes about 8 minutes to derive a byte. At this rate, it would take about 15 years to make out 1 MB of data; but if all you need is to derive a few bytes long cryptographic key and know exactly where to look for it, an attack can succeed in a tangible amount of time.
Intel downplayed NetSpectre. In a statement, the company said:
Source:
ArsTechnica
NetSpectre works by deriving bits and bytes from the memory based on measurements of the time the processor to succeed or recover from failure in speculative execution. As a processor is executing code, it speculates what the next instruction or data is, and stores their outcomes beforehand. A successful "guess" is rewarded with tangible performance benefits, while an unsuccessful guess is penalized with having to repeat the step. By measuring the precise time it takes for the processor to perform either (respond to success or failure in speculative execution), the contents of the memory can be inferred.
Intel downplayed NetSpectre. In a statement, the company said:
NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner - through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.
17 Comments on Insidious New "NetSpectre" Vulnerability Can Be Exploited Over Network
Could it be a genius conspiracy to force the whole world to upgrade to new silicon that is immune to these new vulnerability's.
I mean PC sales are going up for the fist time in seven years :)
In other words, if it's insanely hard to do in a lab, how the hell do you expect to exploit it in the real world.
I mean, it's interesting as research, but not really practical.
How are you going to measure the time it takes a processor to make a branch decision (which takes on the order of generally less than a nanosecond) over a network with latency in the milliseconds?
So, forget "NetSpectre". Lets talk about Spectre (a seemingly "easier" exploit.) Name me a single virus or malware in the wild, that has been successful and identified as using this as a vector for attack. I like theories, but we have to measure everything in common sense. Reading a single byte (maybe,) every 30 minutes doesn't get me anything. I would need to know exactly what I'm looking for, it would have to be not changing, and network conditions would have to be ideal if it's even reproducible.
Not to mention, bits in memory are constantly flipping. The very act of reading a bit changes the contents of that memory (though hopefully it changes a different bit.) By the time they've read one bit, the rest of the memory has changed. Maybe if we're talking about RAM, it could be feasible that the contents remain unchanged. But I think we're talking about memory on board the processor since we're talking about branch prediction. If that's the case, the processor has moved on within milliseconds. I don't know how they expect to read anything useful, and not just random bits taken out of context because the program is in flight.