Ask HN: Real-World Breaches from Speculative Execution Vulns?
For years we’ve been reading about how vulnerable so many computer systems, especially ones using Intel and AMD processors, are highly vulnerable to speculative execution attacks such as Spectre, Meltdown, Foreshadow and Fallout. Numerous demonstrations of the feasibility of these attacks have been published, seemingly showing their practicality (even in JavaScript). Microcode updates that partially mitigate them have meant significant performance slowdowns, also suggesting their practicality. Are there many cases where these vulnerabilities have led to actual security breaches of real-world systems? No, for two reasons. First is that software vulnerabilities are so much more prevalent that in the real world, it would be a wasted effort to attempt to exploit these hardware side-channel vulnerabilities. There's much lower-hanging fruit elsewhere. Second is that for the most vulnerable attack scenarios, they were mitigated long before the public release of Spectre and Meltdown. The big one was cloud computing - attackers being able to exfiltrate data from VMs running on the same host. Microsoft, Amazon and Google had many months in which to roll out updates to their infrastructure that enhanced VM isolation. Similar for browser vendors, for example Chromium introducing Site Isolation. And operating system developers - mitigations for Windows kernel and Linux were being tested for months before public disclosure. I don’t think so. Probably because it’s still much easier to get users to install ransomware by phishing or by disseminating USB sticks. Keep in mind that "breach" here is limited to an information leak. Passwords could be read to achieve a privilege escalation; but a more likely attack would be stealing private keys or other sensitive information. The latter would leave no trace on the target system. So how would you know if your private keys or passwords had been stolen? My question is about publicized hacks of any kind, which I’d still call “security breaches”. Sure, but what I'm saying is that such breaches may be much harder to detect than typical privilege escalation breaches: there may not be unusual network traffic or unusual file artifacts lying around. And even if something were detected -- say, someone stole a password and then used it to break in, and that break in were detected; or someone set up a phishing webserver that had the real private SSL certificate -- how would you know whether the password or cert was stolen via speculative execution, or whether it was socially engeneered, guessed or brute forced (in the case of a password), leaked by a disgruntled employee, or stolen by traditional hacking methods (in the case of a cert)? EDIT: If by "publicized hack", you mean the hacker(s) themselves made a public claim about having used speculative execution, then no, I haven't personally heard of such an instance. Presumably, some malware have been trying to exploit this: https://www.techrepublic.com/article/spectre-and-meltdown-fl... I've never seen them in the wild.