News & Comment: Graz University Publishes Findings on a New Type of Spectre Attack
Two security experts with Juniper networks offer perspective in response.
Craig Dods, Distinguished Engineer – Security, Juniper Networks
“Spectre has been elevated from a class of vulnerabilities that requires local code execution privileges to one that can be conducted against remote targets. And, this first cacheless version of Spectre relies on AVX state and instructions to create a covert channel.
“Prior to this research, SIMD/AVX-based side channels had not been considered real risks. This approach relies heavily on determining the state of a particular unit, AVX2 in this case. Limiting access to these types of features on common processors is difficult, if not impossible, in many environments. It’s quite concerning from a device hardening perspective as fundamental protections, such as ASLR, can be easily defeated using this technique. Additionally, there’s a very real concern about private-key and cryptographic compromise.”
Mounir Hahad, Head of Threat Research at Juniper Networks
“We are getting too far into the weeds with these types of attacks – there are too many conditions for them to be practical. When it comes to network-based attacks, timing varies wildly. The proof of concept described identifies a high magnitude of deviations from the measured latency on a local network, so you can imagine that it would be even larger if the experiment ran over the internet. The need for leak and transmit gadgets to be present on the victim’s computer also makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack.”