A team of researchers from the Graz University of Technology in Austria has demonstrated that Spectre attacks can be launched remotely without the need to execute code on the targeted machine.
The researchers, some of which were also involved in the discovery of the original Meltdown and Spectre vulnerabilities, have dubbed the new attack NetSpectre as it allows a remote attacker to read arbitrary memory data over the network.
NetSpectre attacks have been successfully conducted by the experts both in a local area network (LAN) and between virtual machines in Google Cloud.
While NetSpectre attacks can in theory pose a significant risk, data can only be leaked very slowly. Researchers achieved an exfiltration rate of 15 bits per hour over a local network, and 60 bits per hour by using a new AVX-based covert channel instead of a cache covert channel. This is the first Spectre attack that does not use a cache covert channel.
In experiments conducted using Google Cloud, researchers managed to leak data from an independent virtual machine at a rate of 3 bits per hour.
The Spectre and Meltdown speculative execution vulnerabilities impact processors from Intel, AMD, ARM and other companies, and they allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. There are several variants of each flaw, but the original vulnerabilities are Spectre (Variant 1 and Variant 2) and Meltdown (Variant 3).
Exploitation of these flaws has required executing arbitrary code on the targeted system, but NetSpectre, which is related to Variant 1, shows that remote attacks are possible without executing code on the victim’s device.
Researchers also demonstrated that this remote attack method can also be used to break the address-space layout randomization (ASLR) mitigation even if no data is leaked.
Fortunately, NetSpectre attacks can be prevented using the mitigations recommended for the original Spectre. In addition, since this is a network-based attack, network-layer countermeasures can also be efficient in blocking threats.
“A trivial NetSpectre attack can easily be detected by a DDoS protection, as multiple thousand identical packets are sent from the same source,” researchers explained. “However, an attacker can choose any trade-off between packets per second and leaked bits per second. Thus, the speed at which bits are leaked can simply be reduced below the threshold that the DDoS monitoring can detect. This is true for any monitoring which tries to detect ongoing attacks, e.g., intrusion detection systems. Although the attack is theoretically not prevented, at some point the attack becomes infeasible, as the time required to leak a bit increases drastically.”
However, experts warned that new methods may be found in the future that bypass current protections and mitigations.
Intel has updated its whitepaper titled “Analyzing potential bounds check bypass vulnerabilities” to include NetSpectre attacks.
Jon Masters, Chief Arm Architect and Computer Microarchitecture Lead at Red Hat, says his company has “not identified any viable userspace spectre gadget attacks but are actively auditing all of the daemons that listen over the network and the rest of the stack.”