NetSpectre: A Truly Remote Spectre Variant presented at BlackHatAsia2019 2019

by Michael Schwarzl,

Summary : Modern processors use branch prediction and speculative execution to increase their performance. Since January 2018, with the publication of Spectre attacks, we have seen that speculative execution can be abused to leak confidential information. By inducing a victim to speculatively perform operations that would not occur during correct program execution, confidential information can be leaked via a side channel to the adversary. Many countermeasures and workarounds have been proposed, all assuming that Spectre attacks are local attacks, requiring an adversary to execute code on the victim machine. In this talk, we present NetSpectre attacks. We show that Spectre attacks are not limited to local code execution but can even be mounted remotely over the network. NetSpectre attacks can be mounted without any user interaction, just by exploiting Spectre-like gadgets exposed to the network. We show that such an attack is not only theoretically possible by presenting data leakage across virtual machines in the Google cloud. We will then discuss why Spectre mitigations are incomplete and do not prevent NetSpectre. By demonstrating a novel variation of Spectre, which uses a previously unknown side channel, we show that the assumptions of many countermeasures are wrong, making these countermeasures ineffective. Thus, we emphasize the need for more research on such attacks to find better countermeasures.We outline challenges for future research on Spectre attacks and mitigations. Finally, we will discuss the short-term and long-term implications of Spectre as well as NetSpectre for hardware vendors, software vendors, and users.