Fotolia
NetSpectre is a remote side-channel attack, but a slow one
A new PoC attack using Spectre variant 1 called NetSpectre marks the first time Spectre v1 has been exploited remotely, although questions remain on the practicality of the attack.
Researchers developed a new proof-of-concept attack on Spectre variant 1 that can be performed remotely, but despite the novel aspects of the exploit, experts questioned the real-world impact.
Michael Schwarz, Moritz Lipp, Martin Schwarzl and Daniel Gruss, researchers at the Graz University of Technology in Austria, dubbed their attack "NetSpectre" and claim it is the first remote exploit against Spectre v1 and requires "no attacker-controlled code on the target device."
"Systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing [it] to read arbitrary memory over the network," the researchers wrote in their paper. "The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim's memory."
Gruss wrote on Twitter that Intel was given ample time to respond to the team's disclosure of NetSpectre.
We informed Intel (and also other industry players) very early in the process on March 20. That was more than 120 days before the disclosure. We're not happy with the situation either, but at some point customers deserve to know what they're up to.
— Daniel Gruss (@lavados) July 27, 2018
Gruss went on to criticize Intel for not designating a new Common Vulnerabilities and Exposures (CVE) number for NetSpectre, but an Intel statement explained the reason for this was because the fix is the same as Spectre v1.
"NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753) and is mitigated in the same manner -- through code inspection and modification of software to ensure a speculation-stopping barrier is in place where appropriate," an Intel spokesperson wrote via email. "We provide guidance for developers in our whitepaper, 'Analyzing Potential Bounds Check Bypass Vulnerabilities,' which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp and Stefan Mangard of Graz University of Technology for reporting their research."
Jake Williams, founder and CEO of Rendition Infosec, agreed with Intel's assessment and wrote by Twitter direct message that "it makes sense that this wouldn't get a new CVE. It's not a new vulnerability; it's just exploiting an existing vulnerability in a new way."
The speed of NetSpectre
Part of the research that caught the eye of experts was the detail that when exfiltrating memory, "this NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system."
Kevin Beaumont, a security architect based in the U.K., explained on Twitter what this rate of exfiltration means.
For the record, if you were ever actually be able to exploit it in real world (big if) it gives 15 bits of information per hour. There’s 8000000000 bits in 1gb. So only 60822 years to extract 1gb of RAM.
— Elon owes me a dollar (@GossiTheDog) July 27, 2018
Williams agreed and said that although the NetSpectre attack is "dangerous and interesting," it is "not worth freaking out about."
"The amount of traffic required to leak meaningful amounts of data is significant and likely to be noticed," Williams wrote. "I don't think attacks like this will get significantly faster. Honestly, the attack could leak 10 to 100 times faster and still be relatively insignificant. Further, when you are calling an API remotely and others call the same API, they'll impact timing, reducing the reliability of the exploit."
Gruss wrote by Twitter direct message that since an attacker can use NetSpectre to choose an arbitrary address in memory to read, the impact of the speed of the attack depends on the use case.
"Remotely breaking ASLR (address space layout randomization) within a few hours is quite nice and very practical," Gruss wrote, adding that "leaking the entire memory is of course completely unrealistic, but this is also not what any attacker would want to do."