Paul @pa_kt and Dion Blazakis
Paul @pa_kt presented a new kind of timing attack to bypass browser ASLR in Firefox without using an information disclosure vulnerability or another direct memory read primitive. Paul’s technique is based on the observation that user-controlled elements and address space information (such as pointers), when stored in a shared container without a constant lookup time, can be abused to infer the value of such pointers without directly reading their values. Paul’s presentation was bundled with Dion Blazakis GC woah technique at Summercon, whose graphics are too embarassing to describe as part of this nomination. Dion showed that Garbage Collectors can sometimes be confused about when to mark pointers for release and can be abused for side-channel attacks against ASLR.