BlindSide allows attackers to “hack blind” in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. This works even in face of strong randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory, and state-of-the-art mitigations against Spectre and other transient execution attacks.
Unlike BROP attacks, BlindSide’s “Speculative BROP” attacks require no crashes. The probes are implemented using memory corruption-based speculative (rather than architectural) control-flow hijacking. As a result, all the faults encountered during the repeated probing activity are suppressed in the speculative execution domain, while the attacker leaks information via microarchitectural (rather than crash) side channels. Given a single buffer overflow in the kernel, we showcase BlindSide in three exploits: Exploit 1 – Breaking KASLR with BlindSide to mount a reliable ROP exploit; Exploit 2 – Breaking arbitrary randomization schemes with BlindSide to mount an architectural data-only exploit (leaking the root password hash); Exploit 3 – Breaking fine-grained randomization and kernel execute-only memory to dump the full kernel text and mount a reliable ROP exploit.
Our BlindSide paper (PDF) is accepted for publication at the ACM Conference on Computer and Communications Security (CCS) 2020.
Code and Demo Videos
Here is a demo video for Exploit 1 – Breaking KASLR with BlindSide to mount a reliable kernel ROP exploit (code and other demo videos coming soon):
We would like to thank Andrea Bittau (1983-2017) for inspiring us to work on “Speculative” BROP. We would also like to thank the anonymous reviewers for their valuable feedback. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct), No. 825377 (UNICORE) and No. 690972 (PROTASIS), by Intel Corporation through the Side Channel Vulnerability ISRA, by the Netherlands Organisation for Scientific Research through grants NWO 639.021.753 VENI “PantaRhei”, and NWO 016.Veni.192.262, and by the Office of Naval Research (ONR) under awards N00014-16-1-2261 and N00014-17-1-2788. This paper reflects only the authors’ view. The funding agencies are not responsible for any use that may be made of the information it contains.