Exploits: BlindSide SpecEx Attacks
grarpamp
grarpamp at gmail.com
Sun Sep 13 19:40:05 PDT 2020
https://www.vusec.net/projects/blindside/
https://download.vusec.net/papers/blindside_ccs20.pdf
https://www.youtube.com/watch?v=m-FUIZiRN5o
BlindSide allows attackers to “hack blind” in the Spectre era. That
is, given a simple buffer overflow in the kernel and no additional
info leak vulnerability, BlindSide can mount BROP-style attacks in the
speculative execution domain to repeatedly probe and derandomize the
kernel address space, craft arbitrary memory read gadgets, and enable
reliable exploitation. This works even in face of strong randomization
schemes, e.g., the recent FGKASLR or fine-grained schemes based on
execute-only memory, and state-of-the-art mitigations against Spectre
and other transient execution attacks.
More information about the cypherpunks
mailing list