makes buffer overflows more powerful by adding possibility of exploitation
Speculative execution
modern CPUs need deep pipelines for performance (CPU simultaneously executes many instructions in different steps)
CPU can’t always determine next instruction because of conditional ⇒ branch prediction
branch prediction: predict target of branch based on previous executions, speculatively execute, roll back if needed
Spectre vulnerability
in Intel CPUs
related to speculative execution where rollback is incomplete (mem read stays in cache)
attacker can train branch prediction to expect a path, have program execute this path, determine which memory was speculatively loaded into cache by timing mem accesses
v1: bounds check bypass, make program e.g. predict that index will be in bounds when checking conditionals
v2: branch target injection, make call instruction mis-predict to trained target
Hacking blind
requirement: crash-resistant program (cause a crash, but program continues running without re-randomizing ASLR), not possible in kernel
lacks information leaking primitive
use buffer overflow to corrupt and probe memory
infer targets from measurable side-effects of probes
BlindSide:
use buffer overflow to corrupt function pointer
execute corrupted function pointer speculatively to probe memory
infer targets from measurable side effects of probe
lets you do crashless probing in crash-sensitive domain (speculation is suppressor of crashes)
Newton:
instead of static analysis for ROP, does dynamic analysis
taint tracking (lol), taint tracker-controlled bytes and monitor branches (taint sinks) that depend on tainted memory, dump taint source for each sink
newton gadgets: callsite is tainted by addresses and may call a function