NetSpectre: An ominous Spectre variant, but no immediate danger

NetSpectre sounds like it could be Spectre on steroids.

Then again, it sounds like it could be more like a lab mutation of probably the most serious design flaw in CPUs (central processing units) or computer chips in a generation – interesting, but not much of a threat in the real world. At least not yet.

So what is NetSpectre?

A paper published last week by a team of researchers from the Graz University of Technology in Austria on an attack they called NetSpectre certainly sounds like a (potentially) major problem. It doesn’t require a hack to launch an attack.

They called it a “paradigm shift,” noting that previously a Spectre attack required, “some form of local code execution on the target system.”

In other words, it required a hack – tricking a victim into downloading and running malicious code, or at least accessing a website that can run malicious JavaScript in a victim’s browser.

As they put it, “there are billions of devices which never run any attacker-controlled code, i.e., no JavaScript, no native code, and no other form of code execution on the target system. Until now, these systems were believed to be safe against such attacks.”

No more.

The researchers – including Daniel Gruss, credited as one of the original discoverers of the related Meltdown flaw – said they had demonstrated that attackers could remotely read the memory of a victim system without needing to run any of their own code on that system. Which would make all those billions of previously “safe” devices no longer safe.

The flaw “expos(es) a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all,” they wrote.

The various Spectre variants all have several fundamentals in common – they take advantage of “speculative execution,” in which a processor receiving a conditional branch instruction doesn’t wait for the full instruction from main memory, but “guesses” which branch it will most likely be instructed to take, and then executes it. This design was a response to the continued consumer demand for faster processing speed.

If the processor takes the wrong branch, it simply discards the results. But, this leaves what the researchers called  “microarchitectural side effects” in the cache that can allow attackers to harvest sensitive data.

The basics of Spectre

You can find more about the basics of Spectre, along with the growing number of ways researchers have discovered to exploit it here, here and here.

The good news – and at the moment it is quite good indeed – is that a NetSpectre attack’s exilftration speeds are slow – very slow. Slow enough that so far, NetSpectre is, as several experts have said, more of a theoretical than an actual threat.

The researchers reported speeds of 15 bits per hour for attacks via a network connection that targeted data in the CPU’s cache.

They were able to push that to as much as 60 bits/hour with a NetSpectre variation that targeted data processed via a CPU’s AVX2 module, specific to Intel CPUs.

But that is still too slow to make it a clear and present danger to the masses.

As Ars Technica put it, “these data rates are far too slow to extract any significant amount of data; even the fastest side channel (AVX2 over the local network) would take about 15 years to read 1MB of data.

“They might, however, be sufficient for highly targeted data extraction; a few hundred bits of an encryption key, for example.”

Practical attack usage

Jonathan Knudsen, applications engineer at Synopsys, called it, “interesting from a theoretical point of view, but not frightening for now. The exfiltration speed of 15 bits per hour is, for the most part, simply too slow for practical attacks.”

James Croall, director of product marketing at Synopsys, agreed. “I would expect that exploiting human security flaws is more practical,” he said, but added that, “the innovation in these attacks is staggering.”

And Knudsen said NetSpectre illustrates three important points:

• Attackers and researchers will continue to develop innovative and ingenious methods for attacking software.
• A Secure Software Development Life Cycle (SSDLC) is critically important for minimizing risk.
• Defense-in-depth is also critically important. “If somebody is bombarding your network with a NetSpectre attack, you should be detecting it and shutting it down in another network layer before the attack can reach its target,” he said.

Read: The 5 Essential Elements of a Successful Software Security Initiative