NetSpectre: A Truly Remote Spectre Variant

Presented at Black Hat Asia 2019, March 28, 2019, 10:15 a.m. (60 minutes).

Modern processors use branch prediction and speculative execution to increase their performance. Since January 2018, with the publication of Spectre attacks, we have seen that speculative execution can be abused to leak confidential information. By inducing a victim to speculatively perform operations that would not occur during correct program execution, confidential information can be leaked via a side channel to the adversary. Many countermeasures and workarounds have been proposed, all assuming that Spectre attacks are local attacks, requiring an adversary to execute code on the victim machine.

In this talk, we present NetSpectre attacks. We show that Spectre attacks are not limited to local code execution but can even be mounted remotely over the network. NetSpectre attacks can be mounted without any user interaction, just by exploiting Spectre-like gadgets exposed to the network. We show that such an attack is not only theoretically possible by presenting data leakage across virtual machines in the Google cloud.

We will then discuss why Spectre mitigations are incomplete and do not prevent NetSpectre. By demonstrating a novel variation of Spectre, which uses a previously unknown side channel, we show that the assumptions of many countermeasures are wrong, making these countermeasures ineffective. Thus, we emphasize the need for more research on such attacks to find better countermeasures.

We outline challenges for future research on Spectre attacks and mitigations. Finally, we will discuss the short-term and long-term implications of Spectre as well as NetSpectre for hardware vendors, software vendors, and users.

Presenters:

• Michael Schwarz - PhD Student, Graz University of Technology
  Michael Schwarz is an Infosec PhD student at Graz University of Technology with a focus on microarchitectural side-channel attacks and system security. He holds two master's degrees, one in computer science and one in software development with a strong focus on security. He frequently participates in CTFs and has also been a finalist in the European Cyber Security Challenge. He was a speaker at Black Hat Europe 2016, Black Hat Asia 2017 & 2018, and Black Hat US 2018, where he presented his research on microarchitectural side-channel attacks. He authored and co-authored several papers published at international academic conferences and journals, including USENIX Security 2016 & 2018, NDSS 2017 & 2018, IEEE S&P 2018 & 2019. He was part of one of the four research teams that found the Meltdown and Spectre bugs published in early 2018.
• Martin Schwarzl - Student, Graz University of Technology
  Martin Schwarzl currently finishes his computer science master at Graz University of Technology The main focus of his studies is on IT security and a minor focus on computational intelligence. In the holidays he works as a freelancer with main focus on software penetration testing. He frequently participates in CTFs and was member of the winning team in the European Cyber Security Challenge.

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#netspectre-a-truly-remote-spectre-variant-13757

Similar Presentations:

• Black Hat USA 2018 / Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities
• Black Hat Asia 2019 / Ghosts in a Nutshell
• REcon 2022 / A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data