Q: What is it?
A: A generic remote Spectre
variant 1 attack.
Q: How does it work?
A: The building blocks of a NetSpectre attack are two
NetSpectre gadgets: a leak gadget, and a transmit gadget.
Spectre attacks induce a victim to speculatively perform operations
that would not occur during strictly serialized in-order
processing of the program’s instructions, and which leak a victim’s
confidential information via a covert channel to an attacker. Spectre
variant 1 induces speculative execution in the victim by mistraining
a conditional branch, e.g., a bounds check.
Although the attack can utilize any Spectre variant, they focus on Spectre variant 1 as it is the most widespread. Moreover, according to Intel, in contrast to Meltdown and Spectre variant 2, variant 1 will not be fixed in hardware for the upcoming CPU generation
In contrast to local Spectre attacks, the NetSpectre attack is
not split into two phases. Instead, the attacker constantly performs
operations to mistrain the processor, which will make it
constantly run into exploitably erroneous speculative execution.
NetSpectre does not mistrain across process boundaries, but instead
trains in-place by passing valid and invalid values alternatingly to
the exposed interface, e.g., valid and invalid network packets.
For the NetSpectre attack, the attacker requires two Spectre gadgets,
which are executed if a network packet is received: a leak gadget,
and a transmit gadget. The leak gadget accesses a bit stream at an
attacker-controlled index, and changes some microarchitectural
state depending on the state of the accessed bit. The transmit gadget
performs an arbitrary operation where the runtime depends on the
microarchitectural state modified by the leak gadget.
Hidden in a significant amount of noise, the attacker can observe this timing difference in the network packet response time.
