• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Insidious New "NetSpectre" Vulnerability Can Be Exploited Over Network

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,311 (7.52/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
The "Spectre" family of vulnerability, an exploitation of the speculative execution features of modern processors (mostly Intel), was scary enough. Up until now, running malware that implements Spectre needed one to run the program on a local machine. Running it remotely was limited to well-crafted JavaScript executed on the victim's machine, or cloud hosts made to process infected files. This is about to change. Security researchers from Graz University of Technology, including one of the discoverers of the "Meltdown" vulnerability, Daniel Gruss; have discovered NetSpectre, a fully network-based exploit that can let attackers read the memory of a remote machine without executing any program on that machine.

NetSpectre works by deriving bits and bytes from the memory based on measurements of the time the processor to succeed or recover from failure in speculative execution. As a processor is executing code, it speculates what the next instruction or data is, and stores their outcomes beforehand. A successful "guess" is rewarded with tangible performance benefits, while an unsuccessful guess is penalized with having to repeat the step. By measuring the precise time it takes for the processor to perform either (respond to success or failure in speculative execution), the contents of the memory can be inferred.


It's a slow and tedious process, though; and attackers use the victim machine's own inconspicuous networked applications to make the measurements. It takes 100,000 measurements to derive the value of a single bit, on average 30 minutes to derive a byte, and if the code is using the AVX2 register (i.e. measuring the time it takes for the processor to fire up or power down the register in response to load from the networked application), takes about 8 minutes to derive a byte. At this rate, it would take about 15 years to make out 1 MB of data; but if all you need is to derive a few bytes long cryptographic key and know exactly where to look for it, an attack can succeed in a tangible amount of time.

Intel downplayed NetSpectre. In a statement, the company said:
NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner - through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.

View at TechPowerUp Main Site
 
Joined
Oct 2, 2004
Messages
13,791 (1.87/day)
Seems like a lot of effort for most likely getting zero results (it has to be a highly targeted attack which basically excludes 99% of home machines). I also wonder how firewalls would affect this process. Be it basic ones or more capable ones with SPI...
 
Joined
Feb 3, 2017
Messages
3,831 (1.33/day)
Processor Ryzen 7800X3D
Motherboard ROG STRIX B650E-F GAMING WIFI
Memory 2x16GB G.Skill Flare X5 DDR5-6000 CL36 (F5-6000J3636F16GX2-FX5)
Video Card(s) INNO3D GeForce RTX™ 4070 Ti SUPER TWIN X2
Storage 2TB Samsung 980 PRO, 4TB WD Black SN850X
Display(s) 42" LG C2 OLED, 27" ASUS PG279Q
Case Thermaltake Core P5
Power Supply Fractal Design Ion+ Platinum 760W
Mouse Corsair Dark Core RGB Pro SE
Keyboard Corsair K100 RGB
VR HMD HTC Vive Cosmos
Would that attack work outside LAN or over several network segments?
 
Joined
Oct 2, 2004
Messages
13,791 (1.87/day)
This seems about as viable as those famous "vulnerabilities" for AMD processors. A lot of puff but not much practical use for the attackers. Same here. I don't think this would be that worrysome to Intel users even on more critical places. It's just too many "if" to get results...
 
Joined
Mar 13, 2012
Messages
279 (0.06/day)
The Spectre and Meltdown vulnerability's that just keeps on giving.

Could it be a genius conspiracy to force the whole world to upgrade to new silicon that is immune to these new vulnerability's.

I mean PC sales are going up for the fist time in seven years :)
 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
13,171 (2.79/day)
Location
Concord, NH, USA
System Name Apollo
Processor Intel Core i9 9880H
Motherboard Some proprietary Apple thing.
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Logitech G915, GL Clicky
Software MacOS 12.1
Ummmm. I hate to say it but this is even less exploitable than regular spectre. In other words, completely useless. Come back to me when someone actually managed to make malacious use of this, we're still waiting for one based on spectre which never happened. Perhaps, the type of exploit does matter. :slap:

In other words, if it's insanely hard to do in a lab, how the hell do you expect to exploit it in the real world.
 
Last edited:
Joined
Dec 16, 2017
Messages
2,944 (1.15/day)
System Name System V
Processor AMD Ryzen 5 3600
Motherboard Asus Prime X570-P
Cooling Cooler Master Hyper 212 // a bunch of 120 mm Xigmatek 1500 RPM fans (2 ins, 3 outs)
Memory 2x8GB Ballistix Sport LT 3200 MHz (BLS8G4D32AESCK.M8FE) (CL16-18-18-36)
Video Card(s) Gigabyte AORUS Radeon RX 580 8 GB
Storage SHFS37A240G / DT01ACA200 / ST10000VN0008 / ST8000VN004 / SA400S37960G / SNV21000G / NM620 2TB
Display(s) LG 22MP55 IPS Display
Case NZXT Source 210
Audio Device(s) Logitech G430 Headset
Power Supply Corsair CX650M
Software Whatever build of Windows 11 is being served in Canary channel at the time.
Benchmark Scores Corona 1.3: 3120620 r/s Cinebench R20: 3355 FireStrike: 12490 TimeSpy: 4624
I honestly don't really see how the heck does this new vulnerability is even possible to pull off. And what if I use a dedicated NIC card instead of the onboard LAN? Does that change anything?

I mean, it's interesting as research, but not really practical.
 
Joined
Sep 7, 2017
Messages
3,244 (1.22/day)
System Name Grunt
Processor Ryzen 5800x
Motherboard Gigabyte x570 Gaming X
Cooling Noctua NH-U12A
Memory Corsair LPX 3600 4x8GB
Video Card(s) Gigabyte 6800 XT (reference)
Storage Samsung 980 Pro 2TB
Display(s) Samsung CFG70, Samsung NU8000 TV
Case Corsair C70
Power Supply Corsair HX750
Software Win 10 Pro
Thankfully, I'm nobody and my computer is meaningless. Maybe I'd be worried if I was Iran and the NSA was targetting me. Most of these things are going to take that amount of scrutiny. Who the hell am I? Or you? Don't flatter yourself. :)
 
Joined
Sep 17, 2014
Messages
22,731 (6.05/day)
Location
The Washing Machine
System Name Tiny the White Yeti
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling CPU: Thermalright Peerless Assassin / Case: Phanteks T30-120 x3
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
VR HMD HD 420 - Green Edition ;)
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
The Spectre and Meltdown vulnerability's that just keeps on giving.

Could it be a genius conspiracy to force the whole world to upgrade to new silicon that is immune to these new vulnerability's.

I mean PC sales are going up for the fist time in seven years :)

Yeah with the fun side note that none of the hardware coming out now is actually Spectre proof, instead we say its 'hardened'... until the next exploit is found.

Thankfully, I'm nobody and my computer is meaningless. Maybe I'd be worried if I was Iran and the NSA was targetting me. Most of these things are going to take that amount of scrutiny. Who the hell am I? Or you? Don't flatter yourself. :)

Don't worry they 'have' you too. Its called dragnet surveillance. There are no targets, there is only everything.
 
Joined
Mar 11, 2009
Messages
1,778 (0.31/day)
Location
Little Rock, AR
System Name Gamer
Processor AMD Ryzen 3700x
Motherboard AsRock B550 Phantom Gaming ITX/AX
Memory 32GB
Video Card(s) ASRock Radeon RX 6800 XT Phantom Gaming D
Case Phanteks Eclipse P200A D-RGB
Power Supply 800w CM
Mouse Corsair M65 Pro
Software Windows 10 Pro
I'm no electrical engineer... and I'm definitely no hacker. But this is suspect as hell.

How are you going to measure the time it takes a processor to make a branch decision (which takes on the order of generally less than a nanosecond) over a network with latency in the milliseconds?
 
Joined
Oct 18, 2013
Messages
6,273 (1.53/day)
Location
So close that even your shadow can't see me !
System Name The Little One
Processor i5-11320H @4.4GHZ
Motherboard AZW SEI
Cooling Fan w/heat pipes + side & rear vents
Memory 64GB Crucial DDR4-3200 (2x 32GB)
Video Card(s) Iris XE
Storage WD Black SN850X 4TB m.2, Seagate 2TB SSD + SN850 4TB x2 in an external enclosure
Display(s) 2x Samsung 43" & 2x 32"
Case Practically identical to a mac mini, just purrtier in slate blue, & with 3x usb ports on the front !
Audio Device(s) Yamaha ATS-1060 Bluetooth Soundbar & Subwoofer
Power Supply 65w brick
Mouse Logitech MX Master 2
Keyboard Logitech G613 mechanical wireless
Software Windows 10 pro 64 bit, with all the unnecessary background shitzu turned OFF !
Benchmark Scores PDQ
I'm not normally one for conspiracy theories, but IMHO, this just reeks of yet another marketing ploy to get everyone to drop more serious coin on new, "upgraded/updated" networking devices to "protect" ourselves from something that, as others have said, is really difficult to execute and not very rewarding for anyone but the most dedicated and sophisticated hackers looking for ANY break in their quest for more bragging rights than anything else.......
 
Joined
Mar 11, 2009
Messages
1,778 (0.31/day)
Location
Little Rock, AR
System Name Gamer
Processor AMD Ryzen 3700x
Motherboard AsRock B550 Phantom Gaming ITX/AX
Memory 32GB
Video Card(s) ASRock Radeon RX 6800 XT Phantom Gaming D
Case Phanteks Eclipse P200A D-RGB
Power Supply 800w CM
Mouse Corsair M65 Pro
Software Windows 10 Pro
Not to mention... if it takes 100k measurements to derive the value of a single bit (presumably in memory), then by the time you've read that bit, it has changed anyway. Sounds completely useless, even if possible.
 
Joined
Aug 20, 2007
Messages
21,566 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
I'm no electrical engineer... and I'm definitely no hacker. But this is suspect as hell.

How are you going to measure the time it takes a processor to make a branch decision (which takes on the order of generally less than a nanosecond) over a network with latency in the milliseconds?

Locally executed code via a network service?

Not to mention... if it takes 100k measurements to derive the value of a single bit (presumably in memory), then by the time you've read that bit, it has changed anyway. Sounds completely useless, even if possible.

It certainly slows ops down. It's basically dividing your memory bandwidth by at least 100k. For high value targets it could still be useful however.
 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
13,171 (2.79/day)
Location
Concord, NH, USA
System Name Apollo
Processor Intel Core i9 9880H
Motherboard Some proprietary Apple thing.
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Logitech G915, GL Clicky
Software MacOS 12.1
Locally executed code via a network service?
It certainly slows ops down. It's basically dividing your memory bandwidth by at least 100k. For high value targets it could still be useful however.
Observing one byte every 30 minutes isn't exactly what I would call a feasible exploit forget *how* you determine if you have a byte or not. How much network load does it generate? Will the machine lose connection to the network or have predictable network latency? I like theories but is it even realistic for this to work outside of a freaking lab?!

So, forget "NetSpectre". Lets talk about Spectre (a seemingly "easier" exploit.) Name me a single virus or malware in the wild, that has been successful and identified as using this as a vector for attack. I like theories, but we have to measure everything in common sense. Reading a single byte (maybe,) every 30 minutes doesn't get me anything. I would need to know exactly what I'm looking for, it would have to be not changing, and network conditions would have to be ideal if it's even reproducible.
 

hat

Enthusiast
Joined
Nov 20, 2006
Messages
21,747 (3.29/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: i5 10400
Motherboard ASUS P8P67 Pro :: ASUS Prime H570-Plus
Cooling Cryorig M9 :: Stock
Memory 4x4GB DDR3 2133 :: 2x8GB DDR4 2400
Video Card(s) PNY GTX1070 :: Integrated UHD 630
Storage Crucial MX500 1TB, 2x1TB Seagate RAID 0 :: Mushkin Enhanced 60GB SSD, 3x4TB Seagate HDD RAID5
Display(s) Onn 165hz 1080p :: Acer 1080p
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro - Bose Companion 2 Series III :: None
Power Supply FSP Hydro GE 550w :: EVGA Supernova 550
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
I think we're crossing the limits of what's feasibly possible, and moving on to the territory of technically possible here...
 
Joined
Aug 20, 2007
Messages
21,566 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Observing one byte every 30 minutes isn't exactly what I would call a feasible exploit forget *how* you determine if you have a byte or not. How much network load does it generate? Will the machine lose connection to the network or have predictable network latency? I like theories but is it even realistic for this to work outside of a freaking lab?!

So, forget "NetSpectre". Lets talk about Spectre (a seemingly "easier" exploit.) Name me a single virus or malware in the wild, that has been successful and identified as using this as a vector for attack. I like theories, but we have to measure everything in common sense. Reading a single byte (maybe,) every 30 minutes doesn't get me anything. I would need to know exactly what I'm looking for, it would have to be not changing, and network conditions would have to be ideal if it's even reproducible.

I know, which is why I said "high value targets." And by that I mean like state level actors, who are always trying again (and again, and again). No one here is going to be at much risk from NetSpectre as it presently stands. Unless I am misunderstanding something, of course.
 
Joined
Mar 11, 2009
Messages
1,778 (0.31/day)
Location
Little Rock, AR
System Name Gamer
Processor AMD Ryzen 3700x
Motherboard AsRock B550 Phantom Gaming ITX/AX
Memory 32GB
Video Card(s) ASRock Radeon RX 6800 XT Phantom Gaming D
Case Phanteks Eclipse P200A D-RGB
Power Supply 800w CM
Mouse Corsair M65 Pro
Software Windows 10 Pro
Locally executed code via a network service?
It certainly slows ops down. It's basically dividing your memory bandwidth by at least 100k. For high value targets it could still be useful however.

I could be wrong, but if it's locally executed code, then it's just spectre, right? Nothing new. Also, I quote, from the OP:

without executing any program on that machine.

Also, I'm not saying the problem is the speed it happens. If it's a high value target, sure you can spend however much time it takes. But that's not my point. I'm saying it's impossible to measure something that happens in a fraction of a nanosecond with a measuring stick that maxes out in milliseconds. They're trying to measure a molecule with a yardstick. It just isn't going to happen.

Not to mention, bits in memory are constantly flipping. The very act of reading a bit changes the contents of that memory (though hopefully it changes a different bit.) By the time they've read one bit, the rest of the memory has changed. Maybe if we're talking about RAM, it could be feasible that the contents remain unchanged. But I think we're talking about memory on board the processor since we're talking about branch prediction. If that's the case, the processor has moved on within milliseconds. I don't know how they expect to read anything useful, and not just random bits taken out of context because the program is in flight.
 
Top