DeepAI AI Chat
Log In Sign Up

NetSpectre: Read Arbitrary Memory over Network

by   Michael Schwarz, et al.

In this paper, we present NetSpectre, a generic remote Spectre variant 1 attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over network, leaking 15 bits per hour. Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud. NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all. We show that especially in this remote scenario, attacks based on weaker gadgets which do not leak actual data, are still very powerful to break address-space layout randomization remotely. Several of the Spectre gadgets we discuss are more versatile than anticipated. In particular, value-thresholding is a technique we devise, which leaks a secret value without the typical bit selection mechanisms. We outline challenges for future research on Spectre attacks and Spectre mitigations.


page 1

page 2

page 3

page 4


Spy in the GPU-box: Covert and Side Channel Attacks on Multi-GPU Systems

The deep learning revolution has been enabled in large part by GPUs, and...

Nethammer: Inducing Rowhammer Faults through Network Requests

A fundamental assumption in software security is that memory contents do...

Remapped Cache Layout: Thwarting Cache-Based Side-Channel Attacks with a Hardware Defense

As cache-based side-channel attacks become serious security problems, va...

A Compiler Assisted Scheduler for Detecting and Mitigating Cache-Based Side Channel Attacks

Detection and mitigation of side-channel attacks is a very important pro...

A Probabilistic Analysis on a Lattice Attack against DSA

Analyzing the security of cryptosystems under attacks based on the malic...

Remote Memory-Deduplication Attacks

Memory utilization can be reduced by merging identical memory blocks int...

Practical Timing Side Channel Attacks on Memory Compression

Compression algorithms are widely used as they save memory without losin...