Spectre without shared memory

The Spectre attack by Kocher et al. [11] reads arbitrary data from colocated processes by exploiting two common features of modern processors: speculative execution and shared caches. While theoretically the attack works in many different settings, the current variations all require that the attacker share with the target a memory region that includes vulnerable code which accepts input from the attacker. Motivated by the common practice in cloud computing of not allowing shared memory between different users, we construct the first Spectre type attack in which the target and the attacker do not share any memory pages. The target is a server and the attacker is colocated with the target, shares a Last-Level Cache with it and provides input to the target as a typical client over TCP. We develop new techniques for the attack including accurate location of the target's code and data in the shared cache, noise suppression enabling reliable retrieval of the target's data and optimizations speeding up the retrieval process. An indispensable tool in the retrieval process is a careful comparison of cache activity between two scenarios: the attacker sending as input an address of interest x and the attacker sending a different address x^′. The comparison enables extraction of a single memory byte from the target. We report on a Proof-of-Concept implementation of our attack and on tests on two Intel multi-core platforms with inclusive Last-Level Caches and speculative execution. The tests ran in two virtualization settings, Virtual Machines and Linux containers and in two profiles of cache activity, relative inactivity and very high activity. The setup phase in which the attacker locates the target's data in the cache requires on the order of several minutes to several tens of minutes. The attack successfully extracts the data with probability per byte between 0.91 to 0.99 and rate ranging from 0.4 to 10 bytes per second.