When the Spectre and Meltdown vulnerabilities first came to light, security teams faced an unusual situation. The vast majority of vulnerabilities are
When the Spectre and Meltdown vulnerabilities first came to light, security teams faced an unusual situation. The vast majority of vulnerabilities are software related and can be mitigated by applying a vendor’s patch.
However, these two vulnerabilities arose from micro-architectural design techniques used to increase the speed of modern microprocessors. Therefore, they cannot be fixed with a simple code update.
Spectre works by tricking a processor into speculatively executing instruction sequences that should not be executed under correct program execution, resulting in information being leaked from within a device’s memory address space. Vulnerable speculative execution capabilities exist in microprocessors from Intel, AMD and ARM that are used in billions of devices.
A more pressing concern is the opportunity for an attacker to use Spectre to steal data from anyone using cloud services in which their software instances are sharing the same processor as the attacker.
The NetSpectre vulnerability
Researchers at the Graz University of Technology in Austria have developed a Spectre-based attack that doesn’t require attacker-controlled code to run on the target device.
Dubbed the NetSpectre vulnerability, this remote side-channel exploit works by sending a series of crafted requests to the target machine that abuse speculative execution to perform a bounds check bypass — CVE-2017-5753. This can be used to defeat address-space layout randomization on a remote system. And, by measuring the response time, the attack can leak information from the application or the system’s kernel memory.
Thankfully, an attacker needs to send a large number of network packets to the victim to gather a meaningful amount of data — NetSpectre can only extract 15 bits per hour — and this can probably be detected by network defenses. Using a remote network connection to a system hosted in the Google Cloud Platform, the researchers needed 20 million measurements for each bit, and the data rate fell to one byte every hour for the cache side channel-based attack.
There is no known malware that exploits Spectre variants or sub-variants in the wild as of this writing, and Intel hasn’t designated a fresh CVE number for the NetSpectre vulnerability. Intel says that NetSpectre is not a new vulnerability, but is a new way of exploiting an existing one, and the fix is the same as for Spectre version 1. It has, however, updated its white paper, “Analyzing potential bounds check bypass vulnerabilities,” to incorporate information related to the NetSpectre vulnerability.
Implications of NetSpectre
Although NetSpectre attacks are not practical in a real-world scenario, the Graz University of Technology’s research details another technique to steal supposedly secure information by abusing speculative execution. It also demonstrates again that just because data is isolated on the processor, that doesn’t mean the data is safe.
The current techniques used to increase the performance of microprocessors break the security assumptions that underpin many software security mechanisms, such as operating system process separation, containerization, just-in-time compilation, and countermeasures to cache timing and side-channel attacks.
Millions of low-cost Android phones that don’t receive security updates will remain vulnerable to NetSpectre indefinitely, and older systems are unlikely to get patched. Cybercriminals may have more efficient attack tools to compromise victims, but with so many devices vulnerable to Spectre, state-sponsored hackers will no doubt look for new variants and easier ways to exploit current speculative execution implementations.
Spectre variants and other attacks against microprocessor architectures won’t stop appearing until exploitable design flaws in microprocessors are eradicated.