Could you elaborate why is this exploitable in JavaScript? In order to abuse "speculative execution" you have to make an instruction which refers to the to-be-leaked memory. But if the JavaScript engine emits a load instruction for arbitrary chosen addresses, it already failed.
2018, year of reading arbitrary kernel memory from Javascript. Speculative execution is the new rowhammer. And this one you can't mitigate with ECC or aggressive refresh timing. https://plus.google.com/+KristianK%C3%B6hntopp/posts/Ep26AoAZxxd …
-
-
-
I don't know the details, but given how insidious this bug is, I wouldn't at all be surprised if there are other attack avenues that don't require issuing a direct load from kernel space. This isn't one attack, it's a whole new class of attacks.
- Show replies
New conversation -
-
-
People are just now looking at microcode.. Reliable KASLR and maybe even CFI bypass with branch prediction and TLB bugs anyone?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.