2018, year of reading arbitrary kernel memory from Javascript. Speculative execution is the new rowhammer. And this one you can't mitigate with ECC or aggressive refresh timing. https://plus.google.com/+KristianK%C3%B6hntopp/posts/Ep26AoAZxxd …
-
Could you elaborate why is this exploitable in JavaScript? In order to abuse "speculative execution" you have to make an instruction which refers to the to-be-leaked memory. But if the JavaScript engine emits a load instruction for arbitrary chosen addresses, it already failed.
I don't know the details, but given how insidious this bug is, I wouldn't at all be surprised if there are other attack avenues that don't require issuing a direct load from kernel space. This isn't one attack, it's a whole new class of attacks.
-
-
Keep in mind this is all speculative execution... so all bets are off. For example, what if JS issues a bounds check, but the CPU predicts it to pass and steamrolls right off into speculatively executing a massive out of bounds read into kernelspace?
-
Thanks for the hint, sounds hard to get it work reliably but indeed very possible.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.