1

ok, so the gist of speculative store bypass attack to my understanding is that, cpu chooses the most frequent code path, bypass the if/else test and just assumes that it's true/false and then execute it onwards. later if the prediction proved to be wrong it simply discards the speculative execution results. but somehow the attacker could measure the discarded result and gain some information from the code he does not own(has privilege to access).

My question would be, in order for attacker to extract some useful information, should the attacker have some assembly level code understanding, or even source code level understanding of the targeted program? or how else is he gonna deteremine what the value he measured from data cache represents?

Sajuuk
  • 271
  • 3
  • 11

1 Answers1

1

Yes, the attacker must know something about the program being attacked. All the attacker can observe is how often cache lanes get evicted. They need something else to tell them what those evictions mean.

The power of the attack is that, in the vast majority of cases (I'd say at least 99.99% of the time), it is far easier to get the code of the program being attacked than it is to get the information which is being protected by that code via normal means. The only exception I can think of would be software which was developed on an air-gapped network which is never released outside of that network. That kind of software could be difficult to attack with this.

Cort Ammon
  • 9,206
  • 3
  • 25
  • 26
  • why is it has to be air gapped?, I thought proprietary software are just like what you described. – Sajuuk May 23 '18 at 06:18
  • @Sajuuk Perhaps my use of the term is hyperbole. In theory, you could develop proprietary software in a way which an attacker can never get to. However, in practice, I find even proprietary software is developed on a network, with tools like Version Control Systems in place, which give many opportunities for an attacker to get their hands on the code. Making my statement less hyperbole and more generic, it is rare that code is developed under a threat model where the code (compiled or not) is assumed to be the secret. – Cort Ammon May 23 '18 at 06:46
  • At the very least, it would need to be software which is only available in-house or under a strict NDA which was successful in preventing the attackers from getting their hands on a copy. And it also increases the amount of care you need to have in safeguarding: you have to protect every machine related to the development of the code at the same level you have to protect the target machine (which actually does something worth attacking directly). – Cort Ammon May 23 '18 at 06:50
  • I would say the chance of get into contact with binary packages of software is high as well as the quantity of anti-reverse engineering techniques, and I don't think proprietary source code is that easy to obtain,(I'm not talking about nation state threat actor here, just plain internet security, think about MS Windows's codebase) and I think this effectively restrict the efficiency of speculative-series attack. – Sajuuk May 24 '18 at 03:43