NetSpectre: Read Arbitrary Memory over Network

07/27/2018
by   Michael Schwarz, et al.
0

In this paper, we present NetSpectre, a generic remote Spectre variant 1 attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over network, leaking 15 bits per hour. Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud. NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all. We show that especially in this remote scenario, attacks based on weaker gadgets which do not leak actual data, are still very powerful to break address-space layout randomization remotely. Several of the Spectre gadgets we discuss are more versatile than anticipated. In particular, value-thresholding is a technique we devise, which leaks a secret value without the typical bit selection mechanisms. We outline challenges for future research on Spectre attacks and Spectre mitigations.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
03/30/2022

Spy in the GPU-box: Covert and Side Channel Attacks on Multi-GPU Systems

The deep learning revolution has been enabled in large part by GPUs, and...
research
05/13/2018

Nethammer: Inducing Rowhammer Faults through Network Requests

A fundamental assumption in software security is that memory contents do...
research
11/11/2022

Remapped Cache Layout: Thwarting Cache-Based Side-Channel Attacks with a Hardware Defense

As cache-based side-channel attacks become serious security problems, va...
research
11/16/2021

Remote Memory-Deduplication Attacks

Memory utilization can be reduced by merging identical memory blocks int...
research
03/08/2020

A Compiler Assisted Scheduler for Detecting and Mitigating Cache-Based Side Channel Attacks

Detection and mitigation of side-channel attacks is a very important pro...
research
11/16/2021

Practical Timing Side Channel Attacks on Memory Compression

Compression algorithms are widely used as they save memory without losin...
research
02/28/2023

Optimization and Amplification of Cache Side Channel Signals

In cache-based side channel attacks, an attacker infers information abou...

Please sign up or login with your details

Forgot password? Click here to reset