
Remote Spectre exploits demonstrated - signa11
https://lwn.net/Articles/761100/
======
robert_tweed
This was discussed 3 days ago:

[https://news.ycombinator.com/item?id=17621823](https://news.ycombinator.com/item?id=17621823)

Posted link doesn't add anything new.

------
TekMol
But can somebody ELI5 how the remote spectre exploit works?

I understand the original spectre exploit. But have no idea how it can be done
without code being involved.

~~~
ithkuil
> without code being involved

When you perform a network request you cause code to be executed. The code on
the server is designed to respond to the request, in the same way as any local
cross-process call responds to a request (including a kernel system call).

The key difference is not in the trigger, but in the measurement: measuring
cache timing effects is more tricky when you can only interact with the target
machine via a relatively high latency (and highly variable latency) channel
such as the network. The new attack here shows how this can still be done
probabilistically.

If you wonder how you can flush the cache over the network (without code
involved) the answer is the same ad the answer to this question: why can't
spectre be solved by just restricting the ability to issue a cache flush
instruction? You can effectively flush the cache by performing more requests
that cause other stuff to be loaded in the cache and evicting the parts you
want to be evicted.

------
Epskampie
15 bits per hour... seems extremely low unless they are able to target the
EXACT bits they need.

~~~
hobls
This kind of attack is catastrophic in cryptography.

~~~
black_puppydog
yeah, like, shortening a secret key by 15 bits per hour would save a looot of
brute force...

~~~
dogma1138
Extracting a key over only a few days pretty much is a killer, heck even a few
months for a high value target is game over think what happens if you get the
private key of a key internet service like Google or Facebook, not to mention
.gov or .mil sites.

------
api
Do spectre mitigations already out there fix this?

~~~
ajross
In principle, yes. It's not a different exploit, it's just a different
measurement technique for the timing (and one that most people wouldn't have
expected to be possible).

~~~
loeg
Isn't the AVX warmup latency a novel mechanism not docuemnted in existing
literature and therefore not mitigated? They also point out that lfence is not
a total solution to preventing speculative access (and it isn't being adopted
anyway since the performance cost is high).

~~~
rurban
AVX and esp. AVX2 warmup time is very well known. That's why they tried it
over this path at first. But you could use normal instructions also, it's just
slower to extract keys.

~~~
loeg
For ordinary execution, yes, but was it known that the processor warms up the
AVX units based on speculated branches?

