News NetSpectre vuln allows remote Spectre exploitation

bit-tech · 27 Jul 2018

Spectre protections effective, thankfully.
Click to expand...

Read more

Chicken76 · 27 Jul 2018

Holy Grandmother-of-All-Vulnerabilities, how?! How do you read memory contents over the network?

B1GBUD · 27 Jul 2018

Probably with quite a lot of luck I would imagine, surely address space randomisation means that data rarely gets stored in the same place twice?

Gareth Halfacree · 27 Jul 2018

B1GBUD said: ↑

Probably with quite a lot of luck I would imagine, surely address space randomisation means that data rarely gets stored in the same place twice?
Click to expand...

I refer you to Section 5.2 of the linked paper, 'Remotely Breaking ASLR [Address Space Layout Randomisation] on the Target System.'

Anfield · 27 Jul 2018

Chicken76 said: ↑

Holy Grandmother-of-All-Vulnerabilities, how?! How do you read memory contents over the network?
Click to expand...

It is explained at the bottom:

NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate
Click to expand...

Translation:
The basic access restrictions which are used as a foundation to build security on have been swallowed by a sink hole named Spectre and not installing the updates to plug that hole is about as responsible as announcing on facebook that you will be on holiday next week and that the key is under the door mat.

adidan · 27 Jul 2018

I'd feel more secure if Asus had a more recent bios than 2016

B1GBUD · 27 Jul 2018

Gareth Halfacree said: ↑

I refer you to Section 5.2 of the linked paper, 'Remotely Breaking ASLR [Address Space Layout Randomisation] on the Target System.'
Click to expand...

Well of course I didn't read the paper silly!

5.2 Remotely Breaking ASLR on the Target
System
If the attacker has no access to a bit-leaking NetSpectre gadgets,
it is possible to use a weaker NetSpectre gadget which does not
leak the actual data but only information about the corresponding
address. Such gadgets were not considered harmful for Spectre
attacks, which already have local code execution, as ASLR does not
protect against local attacks. However, in a remote scenario, it is
very valuable to break ASLR. If such a NetSpectre gadget is found
in a user-space program, it breaks ASLR for this process.
Listing 3 shows a simple leak gadget which is already sufficient
to break ASLR. With the help of this gadget, breaking ASLR consists
of 3 steps.
(1) Mistrain the branch predictor.
(2) Access an out-of-bounds index to cache a (known) memory
location.
(3) Measure the execution time of a function via the network to
deduce whether the out-of-bounds access cached a part of
it.
The mistraining step is the same as for any Spectre attack, leading
to speculative out-of-bounds accesses relative to the array. If the
attacker provides an out-of-bounds value for x after mistraining,
the array element at this index is speculatively accessed. Assuming
a byte array and an (unsigned) 64-bit index, an attacker can
(speculatively) access any memory location, as the index wraps
around if the base address plus the index is larger than the virtual
memory. If the byte at this memory location is valid and cacheable,
it is cached after executing this gadget, as the speculative execution
will fetch the corresponding memory location into the cache. Thus,
this gadget allows caching arbitrary memory locations which are
valid in the current virtual memory, i.e., every mapped memory
location of the current application.
The attacker uses this gadget to cache a memory location at
a known location, e.g., the vsyscall page which is mapped into
every application at the same virtual address [17]. The attacker then
measures the execution time of a function accessing the now cached
memory location, e.g., older versions of time or gettimeofday. If
the function executes faster, the out-of-bounds array index actually
cached a memory location used by this function. Thus, from the
known address and the value of the array index, i.e., the relative
offset to the known address, the attacker can calculate the actual
address of the leak gadget.
With an ASLR entropy of 30 b on Linux [59], there are 2
30 possible
offsets the attacker has to check. Due to the KPTI (formerly
KAISER [27]) patches, no other page close to the vsyscall page is
mapped in the user space. Consequently, in the 2
30 possible offsets,
there is only a single valid, and thus cacheable, offset. Hence, we can
perform a binary search to find the correct offset, i.e., speculatively
try to load half of the possible offsets into the cache and check
a single time. If the single valid, and thus cacheable, offset was
Online, July 2018, M. Schwarz et al.
cached, the attacker chose the correct half, otherwise, the attacker
continues with the other half. This reduces the number of checks
to defeat ASLR to only 30.
Although vsyscall is a legacy feature, we found it to be still
enabled on Ubuntu 17.10 and Debian 9.4, the default operating
system for instances on the Google Cloud. Moreover, any other
function or data can be used instead of vsyscall if the address is
known. If the address of the leak gadget is known, it can also be
repeated to de-randomize any other function if the execution time
of this function can be measured via the network. If the attacker
knows a memory page at a fixed offset in the kernel, the same
attack can also be run on a NetSpectre gadget in the kernel to break
KASLR
Click to expand...

So you'd still need a lot of luck.... no? And leaking at a rate of 15 bits per hour?

https://www.theregister.co.uk/2018/07/26/netspectre_network_leak/

edzieba · 27 Jul 2018

Anfield said: ↑

The basic access restrictions which are used as a foundation to build security on have been swallowed by a sink hole named Spectre and not installing the updates to plug that hole is about as responsible as announcing on facebook that you will be on holiday next week and that the key is under the door mat.
Click to expand...

The main upshot of the discovery of SPECTRE class attacks is to add one more thing you need to consider when hardening your software (alongside "don't try and read from empty buffers" and "don't try and write to full buffers"). Removing Speculative Execution from CPUs is about as likely as removing internal caches. You can technically do without it, but you won't like it.

jb0 · 28 Jul 2018

edzieba said: ↑

Removing Speculative Execution from CPUs is about as likely as removing internal caches. You can technically do without it, but you won't like it
Click to expand...

As hilarious as that is, the pedant in me insists on pointing out that you can have branches without speculation. The 486 that Doom targeted was such a processor.

So it will indeed be devastating to performance, but more like fifty percent than fifty-thousand percent.

Alecto · 2 Aug 2018

Anfield said: ↑

Translation:
The basic access restrictions which are used as a foundation to build security on have been swallowed by a sink hole named Spectre and not installing the updates to plug that hole is about as responsible as announcing on facebook that you will be on holiday next week and that the key is under the door mat.
Click to expand...

But, but ... I'm only leaving for vacation the week after?!

Log in or Sign up

News NetSpectre vuln allows remote Spectre exploitation

bit-tech Supreme Overlord Lover of bit-tech Administrator

Chicken76 Minimodder

B1GBUD ¯\_(ツ)_/¯ Accidentally Funny

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Anfield Multimodder

adidan Guesswork is still work

B1GBUD ¯\_(ツ)_/¯ Accidentally Funny

edzieba Virtual Realist

jb0 Minimodder

Alecto Minimodder

Share This Page

Log in or Sign up

News NetSpectre vuln allows remote Spectre exploitation

bit-tech Supreme Overlord Lover of bit-tech Administrator

Chicken76 Minimodder

B1GBUD ¯\_(ツ)_/¯ Accidentally Funny

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Anfield Multimodder

adidan Guesswork is still work

B1GBUD ¯\_(ツ)_/¯ Accidentally Funny

edzieba Virtual Realist

jb0 Minimodder

Alecto Minimodder

Share This Page

Useful Searches