A new version of Specter attack was discovered with the ability to remotely receive data over the network.

    Earlier this year, Specter and Meltdown attack types were shown . They allow you to attack the victim with minimal use of resources. Specially formed JavaScript can be used to perform Specter attacks. Cloud services, as far as it was possible to understand, are safe - both types of attacks are applicable only to the penetration of discrete network resources.

    Now appearedinformation about the new type of attack. It was provided by researchers from the Karl and Franz Graz University of Technology. In disclosing a new type of attack, cybersecurity expert Daniel Grass took part, who discovered the initial attack of Meltdown. As for the novelty, it was called NetSpectre. Its peculiarity is that an attacker can remotely read memory data without executing any code on the victim’s system.

    It is worth noting that all variants of Specter attacks are based on the same set of principles. Each processor is characterized by architectural and micro-architectural behavior. They may vary, but not strikingly. For example, in the first case, a program that loads a value from a certain area of ​​memory will wait until the address is known before starting the download. In the second case, the processor can try to guess the address to start getting the value from the memory, and even before the exact address is known.

    If the processor makes a mistake, the download will be performed in a new way, this time with the correct address. The “guessed” value will be ignored and architectural-specific behavior will be preserved. But the error will affect other elements, in particular, the contents of the cache. Such violations can be detected and identified by malware. This method of obtaining data is known as a third-party channel. Or rather - as an attack on third-party (or side) channels.

    This is not at all a new type of attack, they have been known since the 80s of the last century, but they became widespread after the coverage of Paul Kocher in 96th year. NetSpectre is based on these well-known principles of attack, but the developers have brought something of their own. In particular, the attack allows you to initiate a leak of data from memory through the manipulation of network packets that are sent over the network.

    To determine the residual data of the processor, experts who spoke about the attack suggest using existing code fragments in applications or the kernel, which are activated when a certain type of network requests appear. For example, in order to extract cached data, researchers suggest modifying the Evict + Reload method. It is based on the creation of conditions for the displacement of data from the cache, as well as the processing of requests, the execution time of which allows to judge about the availability of data in the processor cache.

    The attack could be considered very dangerous if it were not for its low productivity. Under optimal conditions, the new method can determine 15-60 bits per hour. On the day - no more than 45-180 bytes. But optimal conditions are very rare, so under normal conditions the attack speed is minimal - only 1-3 bytes per 3-8 hours of attack. To check one bit in this case, you need to perform about 20 million checks.

    According to experts, over time, new methods will be proposed to improve the effectiveness of the attack. But to extract, for example, the AES key will take whole days. Such an attack is blocked by protection methods that are effective against Specter’s first vulnerability variant (CVE-2017-5753).

    In order to increase attack performance in real, not optimal conditions, up to 60 bits per hour, researcherssuggest using gadgets with AVX2 instructions as an additional information leakage channel. This method uses the features of the transfer unit AVX2 in power saving mode. In the case of inactive use of the AVX2, an energy saving mode is provided, in which the AVX2 unit will continue to operate, albeit with a decrease in performance. If the AVX2 is inactive for 1 ms, the processor turns it off, causing a delay in the next operation.

    The attackers can determine the fact of speculative code execution based on the disappearance of the delay in awakening the above block. And this, in turn, reduces the number of checks to determine each bit of information.

    To perform such work, you can use a specialized utility. According to experts, the code snippets mentioned above can be contained in any network applications. Including - the code of http-servers, SSH and other handlers of network packets. Under certain conditions, you can get full access to the contents of all system memory.

    Also popular now: