Posted by Taylor Armerding on August 3, 2018
NetSpectre sounds like it could be Spectre on steroids.
Then again, it sounds like it could be more like a lab mutation of probably the most serious design flaw in CPUs (central processing units) or computer chips in a generation—interesting, but not much of a threat in the real world. At least not yet.
A paper published last week by a team of researchers from the Graz University of Technology in Austria on an attack they called NetSpectre certainly sounds like a (potentially) major problem. It doesn’t require a hack to launch an attack.
They called it a “paradigm shift,” noting that previously a Spectre attack required “some form of local code execution on the target system.”
The researchers—including Daniel Gruss, credited as one of the original discoverers of the related Meltdown flaw—said they had demonstrated that attackers could remotely read the memory of a victim system without needing to run any of their own code on that system. Which would make all those billions of previously “safe” devices no longer safe.
The flaw “expos[es] a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all,” they wrote.
The various Spectre variants all have several fundamentals in common: They take advantage of “speculative execution,” in which a processor receiving a conditional branch instruction doesn’t wait for the full instruction from main memory, but “guesses” which branch it will most likely be instructed to take, and then executes it. This design was a response to the continued consumer demand for faster processing speed.
If the processor takes the wrong branch, it simply discards the results. But this leaves what the researchers called “microarchitectural side effects” in the cache that can allow attackers to harvest sensitive data.
The good news—and at the moment it is quite good indeed—is that a NetSpectre attack’s exfiltration speeds are slow—very slow. Slow enough that so far, NetSpectre is, as several experts have said, more of a theoretical than an actual threat.
The researchers reported speeds of 15 bits per hour for attacks via a network connection that targeted data in the CPU’s cache.
They were able to push that to as much as 60 bits/hour with a NetSpectre variation that targeted data processed via a CPU’s AVX2 module, specific to Intel CPUs.
But that is still too slow to make it a clear and present danger to the masses.
As Ars Technica put it, “These data rates are far too slow to extract any significant amount of data; even the fastest side channel (AVX2 over the local network) would take about 15 years to read 1MB of data.
“They might, however, be sufficient for highly targeted data extraction; a few hundred bits of an encryption key, for example.”
Jonathan Knudsen, applications engineer at Synopsys, called it “interesting from a theoretical point of view, but not frightening for now. The exfiltration speed of 15 bits per hour is, for the most part, simply too slow for practical attacks.”
James Croall, director of product marketing at Synopsys, agreed. “I would expect that exploiting human security flaws is more practical,” he said, but added that “the innovation in these attacks is staggering.”
And Knudsen said NetSpectre illustrates three important points:
Get the latest Software Integrity news, thought leadership, and more.