The 2013 Pwnie Nominee For Most Innovative Research

Leaking Addresses with Vulnerabilities that Cant Read Good

Paul @pa_kt and Dion Blazakis

Paul @pa_kt presented a new kind of timing attack to bypass browser ASLR in Firefox without using an information disclosure vulnerability or another direct memory read primitive. Paul’s technique is based on the observation that user-controlled elements and address space information (such as pointers), when stored in a shared container without a constant lookup time, can be abused to infer the value of such pointers without directly reading their values. Paul’s presentation was bundled with Dion Blazakis GC woah technique at Summercon, whose graphics are too embarassing to describe as part of this nomination. Dion showed that Garbage Collectors can sometimes be confused about when to mark pointers for release and can be abused for side-channel attacks against ASLR.