When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system. This made browsers vulnerable, as suitably crafted JavaScript could be used to perform Spectre attacks. Cloud hosts were susceptible, too. But outside these situations, the impact seemed relatively limited.
That impact is now a little larger. Researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.
How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%
All the variants of the Spectre attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways.
NetSpectre builds on these principles; it just has to work a lot harder to exploit them. With a malicious JavaScript, for example, exploitation is fairly straightforward. The JavaScript developer has relatively fine control over the instructions the processor executes and can both perform speculative execution and measure differences in cache performance quite easily.
Read more: Ars Technica