Researcher Names: Enes Goktas, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, Cristiano Giuffrida at VUSec
Link: Speculative Probing: Hacking Blind in the Spectre Era
To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim’s code. In the absence of such info-leak vulnerabilities, attackers can still “hack blind” and derandomize the address space by repeatedly probing the victim’s memory while observing crash side effects. Since the blind probes are commonly used to launch return-oriented programming attacks, the method is frequently referred to as Blind ROP (or BROP). Unfortunately for the attacker, BROP is only feasible for crash-resistant programs. However, the most high-value targets such as the Linux kernel are not crash-resistant: any probe that touches invalid memory will crash the system. So, blind attacks on the kernel are infeasible. Or so we thought.
The BlindSide attack shows that an attacker armed with a single memory corruption vulnerability in the Specter era can “hack blind” without triggering even a single crash. That is, given a simple buffer overflow in the kernel and *no* additional information leak vulnerability, BlindSide can mount BROP-style attacks in the *speculative execution domain* to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets and enable reliable exploitation. This
works even in the face of solid randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory and state-of-the-art mitigations against Spectre and other transient execution attacks. Leaks are so 2019!