NetSpectre: Read Arbitrary Memory over Network

@article{Schwarz2019NetSpectreRA,
  title={NetSpectre: Read Arbitrary Memory over Network},
  author={Michael Schwarz and Martin Schwarzl and Moritz Lipp and Daniel Gruss},
  journal={ArXiv},
  year={2019},
  volume={abs/1807.10535}
}
In this paper, we present NetSpectre, a generic remote Spectre variant 1 attack. For this purpose, we demonstrate the first access-driven remote Evict+Reload cache attack over network, leaking 15 bits per hour. Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high-performance AVX-based covert channel that we use in our cache-free Spectre attack. We show that in… 
ScatterCache: Thwarting Cache Attacks via Cache Set Randomization
TLDR
SCATTERCACHE eliminates fixed cache-set congruences and, thus, makes eviction-based cache attacks unpractical, and the evaluations show that the runtime performance of software is not curtailed and the design even outperforms state-of-the-art caches for certain realistic workloads.
CoDaRR: Continuous Data Space Randomization against Data-Only Attacks
TLDR
CoDaRR is presented, the first dynamic DSR scheme resilient to disclosure attacks, that continuously rerandomizes the masks used in loads and stores, and re-masks all memory objects to remain transparent w.r.t. program execution.
Streamline: a fast, flushless cache covert-channel attack by enabling asynchronous collusion
TLDR
This paper presents Streamline, a flush-less covert-channel attack faster than all prior known attacks, and achieves a bit-rate of 1801 KB/s, which is 3x to 3.6x faster than the previous fastest Take-a-Way and Flush+Flush attacks, at comparable error rates.
Remote Memory-Deduplication Attacks
TLDR
It is concluded that memory deduplication must also be considered a security risk if only applied within a single security domain.
Spectrum : Classifying , Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture
TLDR
A taxonomy for speculative style attacks and defenses, replication of speculative attacks on an open-source processor, and a hardware implementation of a speculative buffer that mitigates basic speculative cache attacks are presented.
: Practical Cache Attacks from the Network
TLDR
This paper reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and presents NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor’s LLC of a remote machine.
Thwarting Cache Attacks via Cache Set Randomization
TLDR
SCATTERCACHE eliminates fixed cache-set congruences and, thus, makes eviction-based cache attacks unpractical, and the evaluations show that the runtime performance of software is not curtailed and the design even outperforms state-of-the-art caches for certain realistic workloads.
Fallout: Leaking Data on Meltdown-resistant CPUs
TLDR
It is shown that Meltdown-like attacks are still possible, and software fixes with potentially significant performance overheads are still necessary to ensure proper isolation between the kernel and user space.
Page Cache Attacks
TLDR
A new side-channel attack that targets one of the most fundamental software caches in modern computer systems: the operating system page cache, and demonstrates a remote covert channel exfiltrating information from a colluding process through innocuous server requests.
A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography
TLDR
This article systematize microarchitectural side channels with a focus on attacks and defenses in cryptographic applications, and conducts a large-scale evaluation on popular cryptographic applications in the real world to analyze the severity, practicality, and impact of side-channel vulnerabilities.
...
...

References

SHOWING 1-10 OF 91 REFERENCES
FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
TLDR
This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round.
Practical Timing Side Channel Attacks against Kernel Space ASLR
TLDR
This paper shows that an adversary can implement a generic side channel attack against the memory management system to deduce information about the privileged address space layout and can successfully circumvent kernel space ASLR on current operating systems.
Flush+Flush: A Stealthier Last-Level Cache Attack
TLDR
The Flush+Flush attack has a performance close to state-of-the-art side channels in existing cache attack scenarios, while reducing cache misses significantly below the border of detectability, in the first work discussing the stealthiness of cache attacks both from the attacker and the defender perspective.
Spectre Returns! Speculation Attacks using the Return Stack Buffer
TLDR
This paper introduces a new Spectre-class attack that is based on exploiting the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses, and recommends that this patch should be used on all machines to protect against SpectreRSB.
ARMageddon: Cache Attacks on Mobile Devices
TLDR
This work demonstrates how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+ Reload, Evict+Reload, and Flush-Flush on non-rooted ARM-based devices without any privileges.
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
TLDR
This work introduces Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions that allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR.
Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices
TLDR
A novel construction of flush-reload side channels on last-level caches of ARM processors, which, particularly, exploits return-oriented programming techniques to reload instructions is demonstrated.
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
TLDR
DRAMA attacks are introduced, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems and enables practical Rowhammer attacks on DDR4.
Jump over ASLR: Attacking branch predictors to bypass ASLR
TLDR
This paper develops an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB) and describes several possible protection mechanisms, both in software and in hardware.
Cache Attacks and Countermeasures: The Case of AES
TLDR
An extremely strong type of attack is demonstrated, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache.
...
...