# Meltdown/Spectre: Read Arbitrary Memory over Network

## mike155

ADMIN EDIT: Continued from Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory --pjp

Spectre attacks over the network - this is the news that everyone has been waiting for!  :Sad: 

https://misc0110.net/web/files/netspectre.pdf

 *Quote:*   

> [...] In this paper, we present NetSpectre, a generic remote Spectre variant 1 attack. For this purpose, we demonstrate the first access- driven remote Evict+Reload cache attack over network, leaking 15 bits per hour. Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high- performance AVX-based covert channel that we use in our cache- free Spectre attack. [...]

 

 *Quote:*   

> [...]Responsible Disclosure. We disclosed our results to Intel on March 20th, 2018 and agreed on a disclosure date in late July 2018.

 

----------

## eccerr0r

Not sure of its value: 15 bits per hour on an ASLR machine is tough to get specific data... and then what if the network latency is randomized.  I also think it should be possible for IDS will pick up on the access pattern well before any amount of reasonable data is picked up (or perhaps even regular use from other machines at the same time is enough to throw off timing).  Also I don't think distributed network accesses is helpful, so DDoS reading a machine's memory will get you more variability and tougher to get data...

This is still just theory, would like to see an actual attack that breaks the internet...  granted this does not need special software on the target machine...

----------

## barophobia

The paper does mention that adding randomness to network latency and monitoring for DDOS or something like that will make the attack not feasible.

I imagine this will be used once you get access to internal networks where you are not monitoring for DDOS and network latency is more stable.

----------

## eccerr0r

hmm... x86 KPTI not in 4.14.52:

Processor: Pentium-M Dothan 1.6GHz

```
# cat /sys/devices/system/cpu/vulnerabilities/*

Vulnerable

Vulnerable

Mitigation: __user pointer sanitization

Mitigation: Full generic retpoline
```

Not looking forward to any more speed penalties...

----------

