Graz University has just published findings on a new type of Spectre attack – NetSpectre: Read Arbitrary Memory over Network. – which attacks through network connections, without code on a target victim’s machine. This new type of Spectre threat does not require malware on a victim’s machine or a click on malicious JavaScript.
Two security experts with Juniper networks offer perspective in response.
Craig Dods, Distinguished Engineer – Security at Juniper Networks:
“Spectre has been elevated from a class of vulnerabilities that requires local code execution privileges to one that can be conducted against remote targets. And, this first cacheless version of Spectre relies on AVX state and instructions to create a covert channel.
“Prior to this research, SIMD/AVX-based side channels had not been considered real risks. This approach relies heavily on determining the state of a particular unit, AVX2 in this case. Limiting access to these types of features on common processors is difficult, if not impossible, in many environments. It’s quite concerning from a device hardening perspective as fundamental protections, such as ASLR, can be easily defeated using this technique. Additionally, there’s a very real concern about private-key and cryptographic compromise.”
Mounir Hahad, Head of Threat Research at Juniper Networks:
“We are getting too far into the weeds with these types of attacks – there are too many conditions for them to be practical. When it comes to network-based attacks, timing varies wildly. The proof of concept described identifies a high magnitude of deviations from the measured latency on a local network, so you can imagine that it would be even larger if the experiment ran over the internet. The need for leak and transmit gadgets to be present on the victim’s computer also makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.