I was hoping this would be a guest-to-host proof of concept, am I wrong in seeing this just as running the other PoC on a Kubernetes host? Because that seems like it should have been assumed…
I’m seeing a lot of people downplay Spectre compared to Meltdown – basically, the common claim seems to be that patching for Meltdown is super important but people shouldn’t worry too much about Spectre because it’s “hard to exploit in practice”.
This is the third working proof-of-concept in a VM or sandbox I’ve seen since yesterday.
The base PoC mentioned here involves a very specifically crafted function within the same process as the attacker function.
Unlike Meltdown, Spectre is a class of attack which requires some pretty specific style of code path to be present in the victim process, and for that code path to be somewhat controllable from outside processes. It’s a really high bar!
Thought it’s a bit of a nightmare for sandboxing, since it gives easy ways to read a process’ own memory. Though to be honest, that’s probably more evidence of the futility of sandboxing in general than other things. But cross-process attacks are tricky.
(The biggest danger I saw from Spectre was the possibility of exploitable code being in shared libraries, because that makes it a lot easier for the attacker process to poison the well).