New Spectre attack enables secrets to be leaked over a network

[ItsMitch]

S: Ars Technica | White Paper

 

Do you LOVE spectre issues? Do you love Networking? Well I GOT THE THREAD FOR YOU! BUCKLE UP AND JOIN THE CLOWN FIESTA CALLED INTELLLLLLL SECURITY!!!

 

ok that's over, New issues have emerged with Spectre and networking according to Arstechnica citing a document which has been released to the public today. 

 

Quote

That impact is now a little larger. Researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.

 

All the variants of the Spectre attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Micro Architecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it's absolutely certain of which address it should use.

OK rough translation to english. Spectre can now be used against a network which you run on and it can be used to steal your data. Please note that this is a VERY VERY SLOW METHOD. 

 

Two variants of this attack

Quote

Two different remote measurements were developed.

1)

The first is a variation on the cache timing approach already demonstrated with Spectre. The attacker makes the remote system perform a large data transfer (in this case, a file download), which fills the processor's cache with useless data. The attacker then calls the leak gadget to will speculatively load (or not load) some value in the processor's cache, followed by the transmit gadget. If the speculative execution loaded the value then the transmit gadget will be fast; if it didn't, it'll be slow.

2)

The second measurement is novel and doesn't use the cache at all. Instead, it relies on the behavior of the AVX2 vector instruction set on Intel processors. The units that process AVX2 instructions are large and power hungry. Accordingly, the processor will power down those units when it hasn't run any AVX2 code for a millisecond or two, powering them up later when needed. There's also an intermediate half powered state. Brief uses of AVX2 will use this half powered state (at the cost of lower performance); the processor will only fully enable (or fully disable) the AVX2 units after extended periods of use (or non-use). This microarchitectural feature can be measured: if the AVX2 units are fully powered down, running an AVX2 instruction will take longer than if the units are fully powered up.

tl;dr Intel / AMD CPU's are mainly at risk at this time, according to the paper AMD isn't impacted by this

 

Main problems? Speed

Quote

These data rates are far too slow to extract any significant amount of data; even the fastest side channel (AVX2 over the local network) would take about 15 years to read 1MB of data. They might, however, be sufficient for highly targeted data extraction; a few hundred bits of an encryption key, for example. The cache side channel can be used to leak memory addresses, which in turn can be used to defeat the randomized memory addresses used by ASLR (address space layout randomization). Leaking a memory address to defeat ASLR took about two hours. With this memory address information, an attacker would be able to more easily attack otherother exploitable flaws of a remote system.

On the fastest speed they can pull, Variant 2 AVX2 they was able to pull 1MB per 15 years, but this is highly dependant on server. HOWEVER if they're looking for specific data, password files, encryption keys etc, they co

 

OK how can I defend against this?

 

Quote

The same countermeasures as are effective against Spectre—code changes that one way or another prevent speculative execution of sensitive code—are effective against NetSpectre. NetSpectre does, however, make the label "sensitive code" rather broader than it was before; there are now many more pathways and system components that might potentially be used to leak information. The slow transfer rates mean that the utility of NetSpectre is limited, but this underscores how the initial Spectre research was a launching point for a wide range of related attacks. We doubt this will be the last.

Update your software and firmware with all the latest Spectre patches 

 

If you wish to read through the full paper then you can. Link is in the Sources up top.

 

FEEL FREE TO CORRECT ME ON ANY ISSUES, THANK YOU

[jiyeon]

4 minutes ago, SC2Mitch said:

tl;dr Intel CPU's are mainly at risk at this time, according to the paper AMD isn't impacted by this

My poor little 8600K has shamed me and my family. Welcome to the family, soon-to-be Ryzen 1800X.  

[emosun]

6 minutes ago, SC2Mitch said:

Back up your software and firmware with all the latest Spectre patches 

how does a patch back up software and firmware

[Arika]

In b4 amd fanboys flood the thread

[ItsMitch]

Just now, seoz said:

My poor little 8600K has shamed me and my family. Welcome to the family, soon-to-be Ryzen 1800X.  

I'd hold those horses, this paper is a long un and I'm still reading through it.

[ItsMitch]

1 minute ago, emosun said:

how does a patch back up software and firmware

 

7 minutes ago, SC2Mitch said:

Update your software and firmware with all the latest Spectre patches 

 

not a clue what you're on about...... 

[jiyeon]

1 minute ago, SC2Mitch said:

I'd hold those horses, this paper is a long un and I'm still reading through it.

Is "hold your horses" a pun because you're a Liquid fan? :thinking:

[NoxiousOdor]

It is about time we get updates. It was one thing for me and my friends to handle Spectre separately but it is going to be way nicer to play over LAN.

[NoxiousOdor]

I mean honestly it is about time there was multiplayer support

[Mira Yurizaki]

Here's some questions for the class to answer as homework tonight:

• Is it a problem with AVX2 feature set?
• Is it a problem with the concept of power gating certain aspects of the chip?
• Is the process of poking the remote computer enough to trigger DoS warnings on firewalls?

[ZacoAttaco]

This sucks for server/data centre guys and virtualization.

[ItsMitch]

10 minutes ago, M.Yurizaki said:

• Is it a problem with AVX2 feature set?

Yes, very much so, All issues do seem to stem from the AVX2 feature set on Intel and AMD series CPUs. 

 

16 minutes ago, M.Yurizaki said:

• Is the process of poking the remote computer enough to trigger DoS warnings on firewalls?

Yes, but an attacker can change his method of attack.

Quote

A trivial NetSpectre attack can easily be detected by a DDoS protection, as multiple thousand identical packets are sent from the same source. However, an attacker can choose any trade-off between packets per second and leaked bits per second. Thus, the speed at which bits are leaked can simply be reduced below the threshold that the DDoS monitoring can detect. This is true for any monitoring which tries to detect ongoing attacks, e.g., intrusion detection systems. Although the attack is theoretically not prevented, at some point the attack becomes infeasible, as the time required to leak a bit increases drastically

 

18 minutes ago, M.Yurizaki said:

• Is it a problem with the concept of power gating certain aspects of the chip?

The classroom will continue to investigate this further. 

[Guest]

40 minutes ago, WhisperingKnickers said:

I mean honestly it is about time there was multiplayer support

I prefer the Spectre with Daniel Craig. These sequels are so much worse. 

[NoxiousOdor]

4 minutes ago, RorzNZ said:

I prefer the Spectre with Daniel Craig. These sequels are so much worse. 

Agreed, I can't think of a single actor's name in this one

[TopHatProductions115]

IGN 0/10 Needs more Meltdown...

jk  

[Zodiark1593]

10 minutes ago, TopHatProductions115 said:

IGN -5/10 Needs more Meltdown...

jk  

No overblown drama.

 

The reading material may redeem this thread though.

[ItsMitch]

42 minutes ago, M.Yurizaki said:

• Is it a problem with the concept of power gating certain aspects of the chip?
•  

Class has returned to the room and the answer is:

Maybe? There wasn't any specifics referring to power gating nor limiting stuff like that to the chip. 

[rawrdaysgoby]

Ya know my few years old cpu is getting slower and slower it is nearly 60% of its original speed already since the start of this year

[ARikozuM]

1 hour ago, SC2Mitch said:

Do you LOVE spectre issues?

YEAH! I love having my ass handed to me!

Spoiler

Might explain why I like Dark Souls and Nioh...

1 hour ago, SC2Mitch said:

Do you love Networking?

There's a limit to how many times I can power cycle and swap cables. This isn't the thread for me. 

 

1 hour ago, SC2Mitch said:

Well I GOT THE THREAD FOR YOU! BUCKLE UP AND JOIN THE CLOWN FIESTA CALLED INTELLLLLLL SECURITY!!!

"Clown Fiesta"? 

 

#IntelInside

[ItsMitch]

6 minutes ago, ARikozuM said:

YEAH! I love having my ass handed to me!

 

Gachi would be proud of you

[aezakmi]

there's no performance loss if you don't patch your system

 

[Speed Weed]

13 hours ago, aezakmi said:

there's no performance loss if you don't patch your system

 

You are letting hackers to hijack your data and PC because you refused to patch your system. This explain why Equifax and many other corporations don't patch their software at all resulting data breach. I rather sacrifice performance for security, but too much will be hell no. 

 

Intel is greedy for money with no intention fixing their architecture security flaws. How many **** performance we need to sacrifice to fix Intel architecture flaws?! 

 

AMD on my next build. Fook Intel. 

 

 

[ItsMitch]

16 minutes ago, DaPhuc said:

AMD on my next build. Fook Intel. 

 

AMD is also affected by this vulnerability but Spectre n Meltdown patches can sometimes mitigate it

[aezakmi]

4 hours ago, DaPhuc said:

AMD on my next build. Fook Intel. 

yeah I just went for Intel because it was cheaper in my country and I was so sick of the FX chips I didn't even bothered to read about ryzen when it was just released

 

4 hours ago, DaPhuc said:

You are letting hackers to hijack your data and PC because you refused to patch your system.

smh though hackers won't find anything useful here, my truly important files are safe somewhere else and I use a linux netbook for my uni projects and essays

[Speed Weed]

1 hour ago, aezakmi said:

smh though hackers won't find anything useful here, my truly important files are safe somewhere else and I use a linux netbook for my uni projects and essays

Only for you, but not for business computer or server computer.