- A paper from the University of Graz offers a disquieting alternative view, suggesting that Spectre attacks aren’t necessarily dependent on code being executed locally. The paper NetSpectre: Read Arbitrary Memory over Network demonstrates “a generic remote Spectre variant 1 attack … the first access-driven remote Evict+Reload cache attack over network”.Admittedly, a side-channel attack that leaks 15 bits an hour doesn’t sound all that impressive, though the researchers also claimed that “Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system.” For the Register, Thomas Claburn points out that this might not be as bad as it sounds, in that “it could take days to find and gather privileged information such as an encryption key or authentication token.”
According to Claburn, Intel are playing it cool: “”NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate…” Claburn interprets this as meaning that “Essentially, if you’ve updated your code and applications to mitigate previous Spectre exploits, you should be safe from NetSpectre.”
- Researchers in the US also have a new Spectre attack to pique our interest. Here’s the research in question: Spectre Returns! Speculation Attacks using the Return Stack Buffer from the University of California, Riverside. “In this paper, we introduce a new Spectre-class attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses.”Commentary from Bleeping Computer (Catalin Cimpanu): Researchers Detail New CPU Side-Channel Attack Named SpectreRSB.
- The Register cites an instance where the medicine could do with a spoonful of sugar: Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It’s slower, say boffins – “MIT Lincoln metalheads broke big iron so you don’t have to… oh, you still have to, don’t you?…network connections, disk accesses, and computational workloads can all be affected by the fixes, whether in the operating system or the microcode.”
- Also from Bleeping Computer: Academics Announce New Protections Against Spectre and Rowhammer Attacks – “Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer.”
- Maybe the sky is falling after all. In a paper dramatically entitled Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers, Eurecom researchers they present “a new side channel that affects mixed-signal chips used in widespread wireless communication protocols, such as Bluetooth and WiFi. … the radio transmitter may unintentionally broadcast sensitive information from hardware cryptographic components or software executing on the CPU. The well-known electromagnetic (EM) leakage from digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna.”
Commentary by Richard Chirgwin for The Register: Boffins: Mixed-signal silicon can SCREAM your secrets to all – “‘Screaming Channels’, a side-channel baked into off-the-shelf Wi-Fi, Bluetooth silicon.”