NetSpectre: Read Arbitrary Memory over Network

Michael Schwarz; Martin Schwarzl; Moritz Lipp; Jon Masters; Daniel Gruß

doi:10.1007/978-3-030-29959-0_14

NetSpectre: Read Arbitrary Memory over Network

Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, Daniel Gruß

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

All Spectre attacks so far required local code execution. We present the first fully remote Spectre attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over the network, leaking 15 bits per hour. We present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack.
We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We demonstrate practical NetSpectre attacks on the Google cloud, remotely leaking data and remotely breaking ASLR.

Original language	English
Title of host publication	Computer Security - ESORICS 2019
Subtitle of host publication	24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings
Place of Publication	Cham
Publisher	Springer
Pages	279-299
Volume	1
ISBN (Electronic)	978-3-030-29959-0
ISBN (Print)	978-3-030-29958-3
DOIs	https://doi.org/10.1007/978-3-030-29959-0_14
Publication status	Published - Sept 2019
Event	ESORICS 2019: 24th European Symposium on Research in Computer Security - Luxembourg, Luxembourg Duration: 23 Sept 2019 → 27 Sept 2019

Publication series

Name	Lecture Notes in Computer Science
Volume	11735

Conference

Conference	ESORICS 2019
Country/Territory	Luxembourg
City	Luxembourg
Period	23/09/19 → 27/09/19

Access to Document

10.1007/978-3-030-29959-0_14

NetSpectre: Read Arbitrary Memory over Network
Michael Schwarz (Speaker)
23 Sep 2019
Activity: Talk or presentation › Talk at conference or symposium › Science to science

Cite this

Schwarz, M., Schwarzl, M., Lipp, M., Masters, J., & Gruß, D. (2019). NetSpectre: Read Arbitrary Memory over Network. In Computer Security - ESORICS 2019: 24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings (Vol. 1, pp. 279-299). (Lecture Notes in Computer Science; Vol. 11735). Springer. https://doi.org/10.1007/978-3-030-29959-0_14

NetSpectre: Read Arbitrary Memory over Network. / Schwarz, Michael; Schwarzl, Martin; Lipp, Moritz et al.

Computer Security - ESORICS 2019: 24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings. Vol. 1 Cham : Springer, 2019. p. 279-299 (Lecture Notes in Computer Science; Vol. 11735).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Schwarz, M, Schwarzl, M, Lipp, M, Masters, J & Gruß, D 2019, NetSpectre: Read Arbitrary Memory over Network. in Computer Security - ESORICS 2019: 24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings. vol. 1, Lecture Notes in Computer Science, vol. 11735, Springer, Cham, pp. 279-299, ESORICS 2019, Luxembourg, Luxembourg, 23/09/19. https://doi.org/10.1007/978-3-030-29959-0_14

@inproceedings{944abad99129416caab37e5e8857027e,

title = "NetSpectre: Read Arbitrary Memory over Network",

abstract = "All Spectre attacks so far required local code execution. We present the first fully remote Spectre attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over the network, leaking 15 bits per hour. We present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack.We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We demonstrate practical NetSpectre attacks on the Google cloud, remotely leaking data and remotely breaking ASLR.",

author = "Michael Schwarz and Martin Schwarzl and Moritz Lipp and Jon Masters and Daniel Gru{\ss}",

year = "2019",

month = sep,

doi = "10.1007/978-3-030-29959-0_14",

language = "English",

isbn = "978-3-030-29958-3",

volume = "1",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "279--299",

booktitle = "Computer Security - ESORICS 2019",

note = "ESORICS 2019 : 24th European Symposium on Research in Computer Security ; Conference date: 23-09-2019 Through 27-09-2019",

}

TY - GEN

T1 - NetSpectre: Read Arbitrary Memory over Network

AU - Schwarz, Michael

AU - Schwarzl, Martin

AU - Lipp, Moritz

AU - Masters, Jon

AU - Gruß, Daniel

PY - 2019/9

Y1 - 2019/9

N2 - All Spectre attacks so far required local code execution. We present the first fully remote Spectre attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over the network, leaking 15 bits per hour. We present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack.We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We demonstrate practical NetSpectre attacks on the Google cloud, remotely leaking data and remotely breaking ASLR.

AB - All Spectre attacks so far required local code execution. We present the first fully remote Spectre attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over the network, leaking 15 bits per hour. We present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack.We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system. We demonstrate practical NetSpectre attacks on the Google cloud, remotely leaking data and remotely breaking ASLR.

U2 - 10.1007/978-3-030-29959-0_14

DO - 10.1007/978-3-030-29959-0_14

M3 - Conference paper

SN - 978-3-030-29958-3

VL - 1

T3 - Lecture Notes in Computer Science

SP - 279

EP - 299

BT - Computer Security - ESORICS 2019

PB - Springer

CY - Cham

T2 - ESORICS 2019

Y2 - 23 September 2019 through 27 September 2019

ER -

NetSpectre: Read Arbitrary Memory over Network

Abstract

Publication series

Conference

Access to Document

Fingerprint

Activities

NetSpectre: Read Arbitrary Memory over Network

Cite this