

# NetSpectre

## A Truly Remote Spectre Variant



Michael Schwarz

@misco110

Martin Schwarzl

@marvox90



**Michael Schwarz**

PhD candidate @ Graz University of Technology

 @misc0110

 michael.schwarz@iaik.tugraz.at



**Martin Schwarzl**

Master student @ Graz University of Technology

 @marv0x90

 m.schwarzl@student.tugraz.at

- Bug-free software does not mean safe execution



- Bug-free software does not mean safe execution
- Information leaks due to **underlying hardware**



- Bug-free software does not mean safe execution
- Information leaks due to **underlying hardware**
- **Exploit** leakage through **side-effects**



- Bug-free software does not mean safe execution
- Information leaks due to **underlying hardware**
- **Exploit** leakage through **side-effects**



Power  
consumption



Execution  
time



CPU caches

● ● ●



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- **Interface** between hardware and software



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- **Interface** between hardware and software
- Microarchitecture is an ISA **implementation**



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- Interface between hardware and software
- Microarchitecture is an ISA implementation



...

- Modern CPUs contain multiple **microarchitectural elements**



- Modern CPUs contain multiple **microarchitectural elements**



Caches and buffers



Predictors



- Modern CPUs contain multiple **microarchitectural elements**



Caches and buffers



Predictors



- **Transparent** for the programmer

- Modern CPUs contain multiple **microarchitectural elements**



Caches and buffers



Predictors



- **Transparent** for the programmer
- Timing optimizations → side-channel leakage

**Let's have a deeper look at the cache**

---

```
printf( "%d", i);  
printf( "%d", i);
```





```
printf( "%d", i); Cache miss  
printf( "%d", i); Request
```



```
printf( "%d", i); Cache miss  
printf( "%d", i);
```



```
printf( "%d", i); Cache miss  
printf( "%d", i);
```



```
printf( "%d", i); Cache miss  
printf( "%d", i); Cache hit
```







# Caching speeds up Memory Accesses



# Caching speeds up Memory Accesses



















## **Speculative execution**

---



- CPU tries to predict the future (branch predictor), ...
  - ...based on events learned in the past
- Speculative execution of instructions
- If the prediction was correct, ...
  - ...very fast
  - otherwise: Discard results
- Measurable side-effects



# PIZZA

SPECIAL RECIPES



# Prosciutto



# Funghi



Diavolo



Diavolo



# Diavolo



Diavolo



›A table for 6 please‹



# Speculative Cooking





»A table for 6 please«



# PIZZA

SPECIAL RECIPES









# SPECTRE



- On Intel and AMD CPUs



- On Intel and AMD CPUs
- Some ARMs (Cortex R and Cortex A) are also affected



- On Intel and AMD CPUs
- Some ARMs (Cortex R and Cortex A) are also affected
- Common cause: speculative execution of branches



- On Intel and AMD CPUs
- Some ARMs (Cortex R and Cortex A) are also affected
- Common cause: speculative execution of branches
- Speculative execution leaves microarchitectural traces which leak secret



```
index = 0;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```









```
index = 1;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



```
index = 1;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```





```
index = 1;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



```
index = 2;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



# Spectre-PHT (aka Spectre Variant 1)





```
index = 2;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

0



```
index = 3;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



```
index = 3;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]          0
```





```
index = 3;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



```
index = 4;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]          0
```





# Spectre-PHT (aka Spectre Variant 1)



```
index = 4;  
char* data = "textKEY";
```

```
if (index < 4)
```





```
index = 5;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



```
index = 5;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```

# Spectre-PHT (aka Spectre Variant 1)



```
index = 5;  
char* data = "textKEY";
```



# Spectre-PHT (aka Spectre Variant 1)



```
index = 5;  
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```



```
index = 6;
```

```
char* data = "textKEY";
```

```
if (index < 4)
```



```
LUT[data[index] * 4096]
```

```
0
```



# Spectre-PHT (aka Spectre Variant 1)



# Spectre-PHT (aka Spectre Variant 1)



## **NetSpectre: A Remote Spectre Variant**

---



We want to build a Spectre attack which...



We want to build a Spectre attack which...

- is capable of leaking secrets from a remote system



We want to build a Spectre attack which...

- is capable of leaking secrets from a remote system
- has neither physical access nor code execution on system



We want to build a Spectre attack which...

- is capable of leaking secrets from a remote system
- has neither physical access nor code execution on system
- does not rely on software vulnerabilities

## CVSS v3 for CVE-2017-5753 (Spectre)

### Attack Vector

|         |                  |       |          |
|---------|------------------|-------|----------|
| Network | Adjacent Network | Local | Physical |
|---------|------------------|-------|----------|

## CVSS v3 for CVE-2017-5753 (Spectre)

### Attack Vector

|         |                  |       |          |
|---------|------------------|-------|----------|
| Network | Adjacent Network | Local | Physical |
|---------|------------------|-------|----------|

### Attack Complexity

|     |      |
|-----|------|
| Low | High |
|-----|------|

## CVSS v3 for CVE-2017-5753 (Spectre)

### Attack Vector



### Attack Complexity



### Privilege Required



## CVSS v3 for CVE-2017-5753 (Spectre)

### Attack Vector



### Attack Complexity



### Privilege Required



### User Interaction



Spectre **without code execution** is complicated





Spectre **without code execution** is complicated

- Which branch can be exploited



Spectre **without code execution** is complicated

- Which branch can be exploited
- Cannot observe the cache state



Spectre **without code execution** is complicated

- Which branch can be exploited
- Cannot observe the cache state
- Spectre gadgets will be different



Spectre **without code execution** is complicated

- Which branch can be exploited
- Cannot observe the cache state
- Spectre gadgets will be different
- No timing measurement on the attacked system



Spectre **without code execution** is complicated

- Which branch can be exploited
- Cannot observe the cache state
- Spectre gadgets will be different
- No timing measurement on the attacked system
- How to select the data to leak



- No code can be injected



- No code can be injected
- Public interface (API) accessing data



- No code can be injected
- Public interface (API) accessing data
- Branches in API can be mistrained remotely



- No code can be injected
- Public interface (API) accessing data
- Branches in API can be mistrained remotely
- Attacker only calls the API via network requests

```
def check_user_privileges(user_id):  
    [...]  
    if user_id < len(users):  
        if test_bit(privileges, user_id) == True:  
            admin = True  
  
    return SUCCESS
```

```
def check_user_privileges(user_id):  
    [...]  
    if user_id < len(users):      Bounds check  
        if test_bit(privileges, user_id) == True:  
            admin = True  
  
    return SUCCESS
```

```
def check_user_privileges(user_id):  
    [...]  
    if user_id < len(users):      Bounds check  
        if test_bit(privileges, user_id) == True:  
            admin = True  
  
    return SUCCESS
```

Speculative  
out-of-bounds  
read

```
def is_admin():
    return admin
```

```
def is_admin():
    return admin
```



```
def is_admin():
    return admin
```



- If bit in array was set → admin is cached

```
def is_admin():
    return admin
```



- If bit in array was set → admin is cached
- If bit was not set → admin is not cached

```
def is_admin():
    return admin
```



- If bit in array was set → admin is cached
- If bit was not set → admin is not cached
- Observe cache state via function execution time



- Cannot measure time directly on the attacked system



- Cannot measure time directly on the attacked system
- Network latency depends on API execution time



- Cannot measure time directly on the attacked system
  - Network latency depends on API execution time
- Measure the network roundtrip time



- Cannot measure time directly on the attacked system
- Network latency depends on API execution time
- Measure the network roundtrip time
  - Reveals whether the variable is cached





- After measuring variable is always cached



- After measuring variable is always cached
- How do we evict the variable?



- After measuring variable is always cached
- How do we evict the variable?
- Constantly evict the cache via a file download



- After measuring variable is always cached
- How do we evict the variable?
- Constantly evict the cache via a file download
- Thrash+Reload → crude form of Evict+Reload





```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
```



```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
```



```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
```



```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
```



```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
```



```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
    send(flag)
```



```
if (x < bitstream_length)
    if(bitstream[x])
        flag = true
    send(flag)
```















- Mistrain branch predictor with in-bounds requests



- Mistrain branch predictor with in-bounds requests
- Evict everything from cache via file download



- Mistrain branch predictor with in-bounds requests
- Evict everything from cache via file download
- Leak a bit: do nothing ('0') or cache a memory location ('1')



- Mistrain branch predictor with in-bounds requests
- Evict everything from cache via file download
- Leak a bit: do nothing ('0') or cache a memory location ('1')
- Measure function latency which uses the memory location



Leaking byte 'd' (0 )



Leaking byte 'd' (01 )



Leaking byte 'd' (011 )



Leaking byte 'd' (0110 )



Leaking byte 'd' (01100 )



Leaking byte 'd' (011001 )



Leaking byte 'd' (0110010 )



Leaking byte 'd' (01100100)

**What can we exploit with them?**

---

- Several possible attack targets

- Several possible attack targets
- Different impacts depending on target

- Several possible attack targets
- Different impacts depending on target



**Web/FTP Servers**  
(user gadget)

- Several possible attack targets
- Different impacts depending on target



**Web/FTP Servers**  
(user gadget)



**SSH Daemons**  
(user gadget)

- Several possible attack targets
- Different impacts depending on target



**Web/FTP Servers**  
(user gadget)



**SSH Daemons**  
(user gadget)



**Network Drivers**  
(kernel gadget)



**That's nice but how do we find the gadgets?**

---



- Finding Spectre gadgets is still an open problem



- Finding Spectre gadgets is still an open problem
- Out of all papers, only 4 show real-world gadgets



- Finding Spectre gadgets is still an open problem
- Out of all papers, only 4 show real-world gadgets
- Among them, only 2 Spectre-PHT (v1) gadgets



- Finding Spectre gadgets is still an open problem
- Out of all papers, only 4 show real-world gadgets
- Among them, only 2 Spectre-PHT (v1) gadgets
- Still no fully automated approach



- Linux kernel uses static code analysis



- Linux kernel uses static code analysis
- High false positive rate



- Linux kernel uses static code analysis
  - High false positive rate
- Out of 736 reports only 15 real gadgets



- Linux kernel uses static code analysis
  - High false positive rate
- Out of 736 reports only 15 real gadgets
- Ongoing effort, > 100 patches applied to Linux kernel



- Linux kernel uses static code analysis
- High false positive rate
  - Out of 736 reports only 15 real gadgets
- Ongoing effort, > 100 patches applied to Linux kernel
- > 930 Spectre patches in open-source projects

- Built 21 toy examples, 18 containing Spectre gadgets





- Built 21 toy examples, 18 containing Spectre gadgets
- We created two static approaches on detecting (Net)Spectre gadgets



- Built 21 toy examples, 18 containing Spectre gadgets
- We created two static approaches on detecting (Net)Spectre gadgets
  - Coccinelle (Matching the code pattern)



- Built 21 toy examples, 18 containing Spectre gadgets
- We created two static approaches on detecting (Net)Spectre gadgets
  - Coccinelle (Matching the code pattern)
  - Python Capstone (Matching the binary pattern)



- Built 21 toy examples, 18 containing Spectre gadgets
- We created two static approaches on detecting (Net)Spectre gadgets
  - Coccinelle (Matching the code pattern)
  - Python Capstone (Matching the binary pattern)
- All Gadgets were detected, only 3 false positives



- Built 21 toy examples, 18 containing Spectre gadgets
- We created two static approaches on detecting (Net)Spectre gadgets
  - Coccinelle (Matching the code pattern)
  - Python Capstone (Matching the binary pattern)
- All Gadgets were detected, only 3 false positives
- Adapted oo7 approach to masscan open-source software



- Taint Tracking  $\leftrightarrow$  mark all input as **evil**



- Taint Tracking  $\leftrightarrow$  mark all input as **evil**
- If input  $x$  flows into branch  $x < \text{size}$ , the branch is marked as tainted



- Taint Tracking  $\leftrightarrow$  mark all input as **evil**
- If input  $x$  flows into branch  $x < \text{size}$ , the branch is marked as tainted
- $\exists$  a memory access relative within an array in a time window, report it as susceptible



- Not clear how a Spectre gadget can look like



- Not clear how a Spectre gadget can look like
- Potentially many different forms



- Not clear how a Spectre gadget can look like
- Potentially many different forms
- Can be scattered over many instructions



- Not clear how a Spectre gadget can look like
- Potentially many different forms
- Can be scattered over many instructions
- Similar to finding ROP chains



- Not clear how a Spectre gadget can look like
- Potentially many different forms
- Can be scattered over many instructions
- Similar to finding ROP chains
- While searching, discovered novel type of gadget

- No indirection, simple array access

- No indirection, simple array access

```
if (x < array_length)
    y = array[x];
```



- What to do with weaker gadgets?



- What to do with weaker gadgets?  
→ Break ASLR



- What to do with weaker gadgets?  
→ Break ASLR
- Not relevant for local Spectre attacks



- What to do with weaker gadgets?
  - Break ASLR
  - Not relevant for local Spectre attacks
  - Valuable in a remote scenario















**Is cache the only channel to exploit Spectre  
Remotely?**

---



- All Spectre variants so far use the cache



- All Spectre variants so far use the cache
- Is this a requirement?



- All Spectre variants so far use the cache
- Is this a requirement?
- Can we encode the data somewhere else?

- Allow performing an operation in parallel on multiple data





- Allow performing an operation in parallel on multiple data
- Commonly used in gaming and cryptography



- Allow performing an operation in parallel on multiple data
- Commonly used in gaming and cryptography

`--mm256 X7 X6 X5 X4 X3 X2 X1 X0`

# Advanced Vector Instructions (AVX)



- Allow performing an operation in parallel on multiple data
- Commonly used in gaming and cryptography



- Allow performing an operation in parallel on multiple data
- Commonly used in gaming and cryptography


$$\begin{array}{c} \text{---mm256 } [X_7 \quad X_6 \quad X_5 \quad X_4 \quad X_3 \quad X_2 \quad X_1 \quad X_0] \\ \qquad\qquad\qquad + \\ \text{---mm256 } [Y_7 \quad Y_6 \quad Y_5 \quad Y_4 \quad Y_3 \quad Y_2 \quad Y_1 \quad Y_0] \\ \qquad\qquad\qquad = \\ \text{---mm256 } [X_7+Y_7 \quad X_6+Y_6 \quad X_5+Y_5 \quad X_4+Y_4 \quad X_3+Y_3 \quad X_2+Y_2 \quad X_1+Y_1 \quad X_0+Y_0] \end{array}$$



- 256-bit instructions need a lot of power



- 256-bit instructions need a lot of power
  - On Intel, disabled by default, enabled on first use



- 256-bit instructions need a lot of power
  - On Intel, disabled by default, enabled on first use
- Requires some time to power up



- 256-bit instructions need a lot of power
  - On Intel, disabled by default, enabled on first use
- Requires some time to power up
- Measure execution time of AVX instruction



- 256-bit instructions need a lot of power
  - On Intel, disabled by default, enabled on first use
- Requires some time to power up
- Measure execution time of AVX instruction
  - **Leak** timing information



```
if (x < bitstream_length)
    if(bitstream[x])
        _mm256_instruction();
```



- We had to thrash cache to reset state



- We had to thrash cache to reset state
- Wait  $\approx 1$  ms  $\rightarrow$  AVX unit powers off



- We had to thrash cache to reset state
- Wait  $\approx 1$  ms  $\rightarrow$  AVX unit powers off
- More efficient and stealthier than constantly downloading a file



- We had to thrash cache to reset state
- Wait  $\approx 1$  ms  $\rightarrow$  AVX unit powers off
- More efficient and stealthier than constantly downloading a file
- $\rightarrow$  higher performance than cache covert channel





1. Mistrain branch predictor with in-bounds requests



1. Mistrain branch predictor with in-bounds requests
2. Wait for AVX unit to power off (1ms)



1. Mistrain branch predictor with in-bounds requests
2. Wait for AVX unit to power off (1ms)
3. Leak a bit: do nothing ('0') or power AVX unit ('1')



1. Mistrain branch predictor with in-bounds requests
2. Wait for AVX unit to power off (1ms)
3. Leak a bit: do nothing ('0') or power AVX unit ('1')
4. Measure function latency which uses AVX instruction



## **Results**

---

- NetSpectre tested in various environments

- NetSpectre tested in various environments



i5-6200U, i7-8550U

- NetSpectre tested in various environments



i5-6200U, i7-8550U

i7-6700K, i7-8700K

- NetSpectre tested in various environments



i5-6200U, i7-8550U



i7-6700K, i7-8700K



Skylake Xeon

- NetSpectre tested in various environments



i5-6200U, i7-8550U



i7-6700K, i7-8700K



Skylake Xeon



ARM Cortex A75

- Local Network (1 000 000 measurements/bit)



- Local Network (1 000 000 measurements/bit)



30 min/byte

- Local Network (1 000 000 measurements/bit)



30 min/byte



8 min/byte

- Local Network (1 000 000 measurements/bit)



**30 min/byte**



**8 min/byte**

- Cloud (20 000 000 measurements/bit)

- Local Network (1 000 000 measurements/bit)



30 min/byte



8 min/byte

- Cloud (20 000 000 measurements/bit)



1 h/bit

## **How to prevent NetSpectre**

---

- Mitigating NetSpectre



- Mitigating NetSpectre



Network side

- Mitigating NetSpectre



Network side



Fix Spectre

- Prevent NetSpectre on the network side



- Prevent NetSpectre on the network side



Firewalls and DDoS  
protections

- Prevent NetSpectre on the network side



Firewalls and DDoS  
protections



Add random noise to  
packets

- Prevent NetSpectre on the network side



Firewalls and DDoS  
protections



Add random noise to  
packets



Network  
segmentation

- Prevent (Net)Spectre on the system side



- Prevent (Net)Spectre on the system side



Hardware Fixes

- Prevent (Net)Spectre on the system side



Hardware Fixes



Software Changes

# AVX vs single lfence



- NetSpectre requires a fast and stable network connection



- NetSpectre requires a fast and stable network connection
  - Local networks



- NetSpectre requires a fast and stable network connection
  - Local networks
  - Data centers (VM to VM attack)





- NetSpectre requires a fast and stable network connection
  - Local networks
  - Data centers (VM to VM attack)
- Internet speeds improve (e.g., fiber, 5G)



- NetSpectre requires a fast and stable network connection
  - Local networks
  - Data centers (VM to VM attack)
- Internet speeds improve (e.g., fiber, 5G)  
→ possible in the near future?



- NetSpectre requires a fast and stable network connection
  - Local networks
  - Data centers (VM to VM attack)
- Internet speeds improve (e.g., fiber, 5G)
  - possible in the near future?
- Attack speeds can be drastically improved



- NetSpectre requires a fast and stable network connection
  - Local networks
  - Data centers (VM to VM attack)
- Internet speeds improve (e.g., fiber, 5G)
  - possible in the near future?
- Attack speeds can be drastically improved
  - Better signal processing/filtering



- NetSpectre requires a fast and stable network connection
  - Local networks
  - Data centers (VM to VM attack)
- Internet speeds improve (e.g., fiber, 5G)
  - possible in the near future?
- Attack speeds can be drastically improved
  - Better signal processing/filtering
  - Dedicated measuring hardware

# What do we learn from it?



- Gadgets are more versatile than expected

# What do we learn from it?



- Gadgets are more versatile than expected
- Finding gadgets is even harder than expected

# What do we learn from it?



- Gadgets are more versatile than expected
- Finding gadgets is even harder than expected
- Proposed security mechanisms are incomplete

# What do we learn from it?



- Gadgets are more versatile than expected
- Finding gadgets is even harder than expected
- Proposed security mechanisms are incomplete
  - focus only on the cache



- Gadgets are more versatile than expected
- Finding gadgets is even harder than expected
- Proposed security mechanisms are incomplete
  - focus only on the cache
  - often assume (local) code execution



- Gadgets are more versatile than expected
- Finding gadgets is even harder than expected
- Proposed security mechanisms are incomplete
  - focus only on the cache
  - often assume (local) code execution
- Root problem has to be solved → more research required

{...}

- Speculative execution leaks secrets without exploiting bugs
- Spectre attacks are not limited to local attackers
- Spectre attacks have a larger impact than assumed

# NetSpectre

## A Truly Remote Spectre Variant



Michael Schwarz

@misco110

Martin Schwarzl

@marvox90