Are Spectre Attacks on Ethereum Wallets possible?


#1

A number of side-channel attacks on Intel and ARM processors have been released this week by Paul Kocher and collaborators. These attacks exploit processor features such as speculative execution to let un-privileged processes read kernel memory, essentially breaking the entire security model of the operating system.

https://spectreattack.com/spectre.pdf

As a proof-of-concept, JavaScript code was written that, when run in the Google Chrome browser, allows JavaScript to read private memory from the process in which it runs.

Interesting to understand how will this apply to Ethereum wallets, specically Browser-base wallets … A question is whether Metamask and Mist are vulnerable to attackers stealing private keys … Note that the poc code reads the private memory of the browser process, but from reading the rest of the paper it seems that the entire memory space is vulnerable …


#2

Eek :frowning:

Probably; it seems to me that the only way to defeat attacks that can access the entire memory is to either come up with some scifi scheme to avoid using memory entirely (ie. somehow implement a Turing-complete language directly using file system operations and use that to sign; no idea if this is possible) or use a secure hardware device. Though people with more domain knowledge than me can probably come up with something better.


#3

Yes, but that can be mitigated by running every tab in a separate process with no shared sensitive memory. Until all browsers implement that remember to run web wallets in a completely separate browser instance.
Which in case of metamask on chrome unfortunately means a separate browser profile.

Moving signing to a non-mapped gpu memory should be enough. Unless gpus are also vulnerable to spectre…


#4

How do you go from private key storage to GPU and keyboard (passphrase) to GPU without touching the CPU/RAM?


#5

It’s ok to touch cpu as long as keys are in registers only and never leave them (eg. during a context switch), meltdown can only read ring0 memory. This would require a kernel module.
In principle it would allow running with a fully encrypted memory (code+data) as long as the key is safely put it during the boot process.

Somewhat related, enterprise gpus support direct io, like in this project. It’s called gpudirect for nvidia and directgma for amd.


#6

The possibility of an attack makes cold storage solutions even more important.


#7

This is also why partial slashing is important :slight_smile: