A new Spectre attack dubbed as NetSpectre was discovered by a team of security researchers which could be launched over the network without running any local code. It is not like other Spectre variants which needs an attacker to run code locally on the target system.
The new remote side-channel attack is related to Spectre variant 1 and it abuses speculative execution to perform bounds-check bypass. The Spectre Variant 1 flaw (CVE-2017-5753) was reported earlier this year together with another Spectre and Meltdown flaws.
The method of attacking is not new as it is based on how a CPU speculates where its current processing path will go. A chunk of its speed stems from how it can think ahead and test different routes to determine the quickest avenue to completion. While the routes are tested the chip stores data in its local cache in an unprotected way.
In the case of NetSpectre you don’t need to download anything. The hacker attacks the network ports of a target PC with malicious code. But this method takes long time to extract data from memory. The hacker however doesn’t require anything to be stored in the memory. To find an encryption key in the slow data flow could take days compared to accessing the same key by running malicious code locally on the target PC.
The NetSpectre attack consists of two components. The first is a leak gadget that pulls one or multiple bytes of data from memory even though single-bit gadgets are most versatile. The second component is the transmit gadget that makes the CPU’s state visible over the network, so the hacker can retrieve the data.
There are four stages through which a hacker carries out his attack. Initially they send the leak gadget to “mis-train” the processor’s predictive capability and then reset the environment to enable the encoding of leaked bits. Then the hackers exploit the Spectre Variant 1 vulnerability to leak data and use the transmit gadget to deliver the goods.
As per the reports when the network latency varies, the four steps have to be repeated several times to eliminate the noise caused by these fluctuations. Typically, the variance in latency follows a certain distribution depending on multiple factors, such as distance, number of hops, network congestion.
This is however not a vulnerability which needs a new patch. According to Intel, it is reduced through the same techniques used to patch Meltdown and the two Spectre variants: code inspection and modification of software.
In May this year, security researchers from Microsoft and Google also reported a Spectre Variant 4 impacting modern CPUs in millions of computers, including those marketed by Apple.
So far no malware has been found exploiting any of the Spectre or Meltdown variants, or their sub-variants, in the wild.