New NetSpectre Attack Can Steal CPU Secrets via Network Connections

Scientists published a paper Friday detailing a new Spectre-class CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine. From a report: This new attack --codenamed NetSpectre -- is a major evolution for Spectre attacks, which until now have required the attacker to trick a victim into downloading and running malicious code on his machine, or at least accessing a website that runs malicious JavaScript in the user's browser. But with NetSpectre, an attacker can simply bombard a computer's network ports and achieve the same results. Although the attack is innovative, NetSpectre also has its downsides (or positive side, depending on what part of the academics/users barricade you are). The biggest is the attack's woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU's cache.

Does not know the domain

[mangastudent]

This latest "Net/S/M" calls them "gadgets", but they are fucking malware!

"Gadget" is a term of art from return-oriented programming; as the good Wiki introduces this:

[...] a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine's memory, called "gadgets"....

The "gadgets" are just convenient snippets of code that the attacker knows is already running in the target machine, like in commonly used DLLs or shared libraries.

JavaScript on a site, or even just connect tcp

[raymorris]

Until this attack, the attacker needed to run some code, which could be JavaScript. So infect a site, or lure a victim to your site, trumptweettoomuch.com, and you've got your code execution.

The BASIC idea would be your JavaScript does something with the byte 01010111 10,000 times and measures how long that takes, then compares it to the same operation with byte 01011111. That allows you to know if certain other programs are using either of those bytes in their data. Run through a million iterations of trying combinations and you've retrieved the contents of another processes memory - or the kernel memory. That's the part that let's your code step out of its own process.

Combine the ability to read the memory of other processes with a few other clever hacker techniques and you get the ability to read specific memory contents from specific locations.

What's new in this attack is that the attacker doesn't need to run any code on the victim machine. Instead, they send 20,000 packets, half include the 01010111 byte, half include the 01011111 byte. The timing of the network driver, and therefore the timing of the responses, will vary depending on whether a different piece of system software is using the same byte. Combine that with earlier techniques and you have the ability to read the memory of programs running on the machine, without you running any code on the machine.

These are a BIG deal for the theoretical security of the machine. The practical use is much harder, especially over the network. They achieved 15 bits per hour by saturating a direct gigabit connection. That's not very practical, unless you happen to be attacking a VM, coming from another VM on the same host hardware.