SMoTherSpectre: exploiting speculative execution through port contention
This addresses security vulnerabilities in applications like servers and encryption libraries, posing a threat to systems that do not load attacker-provided code, and is incremental as it builds on known Spectre-type attacks.
The paper tackled the problem of information disclosure through micro-architectural weaknesses by introducing SMoTherSpectre, a speculative code-reuse attack that uses port contention as a side channel, resulting in the discovery of hundreds of gadgets in glibc and proof-of-concept attacks against OpenSSH and OpenSSL.
Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.