New NetSpectre-Class Attack Raises Device-Hardening Concern

A new type of NetSpectre attack requires no malware or malicious JavaScript, because it instead attacks victims through network connections, according to researchers at Graz University of Technology. Four scientists at the university have published findings on a new type of Spectre attack in a paper entitled NetSpectre: Read Arbitrary Memory over Network. The paper details a new CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine, a significant development for Spectre-class attacks. “By manipulating the branch prediction, Spectre tricks a target process into performing a sequence of memory accesses which leak secrets from chosen virtual memory locations to the attacker. This completely breaks confidentiality and renders virtually all security mechanisms on an affected system ineffective,” the researchers wrote. Until now, Spectre attacks have needed the victim to either download and run malicious code on a machine or access a website that runs malicious JavaScript in the user's browser, but Spectre attacks have now evolved from requiring local code execution privileges to the first cache-less version that uses AVX state and instructions to create a covert channel, according to Craig Dods, distinguished engineer, security, at Juniper Networks.

Spotlight

Other News

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More