Researchers from Amsterdam have shared details about a new Spectre-style speculative execution vulnerability in the latest AMD and Intel processors. Dubbed “Blindside”, it allows attackers to “hack blind” in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. This works even in face of strong randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory, and state-of-the-art mitigations against Spectre and other transient execution attacks.
Using a single buffer overflow in the kernel, there are three BlindSide exploits that are able to break the Kernel Address Space Layout Randomizer (KASLR), arbitrary randomization schemes including fine-grained randomization:
Exploit 1 – Breaking KASLR with BlindSide to mount a reliable ROP exploit; Exploit 2 – Breaking arbitrary randomization schemes with BlindSide to mount an architectural data-only exploit (leaking the root password hash); Exploit 3 – Breaking fine-grained randomization and kernel execute-only memory to dump the full kernel text and mount a reliable ROP exploit.
We present BlindSide, a new exploitation technique at the convergence point of software and Spectre exploitation. Blind-Side uses speculative execution to turn a single memory corruption vulnerability into powerful speculative probing primitives. These primitives leak information by observing microarchitectural side effects rather than architectural side effects such as crashes, by-passing strong leakage-resistant randomization defenses. The key idea of using a software vulnerability instead of indirect branch poisoning  or injection  also allows attackers to bypass all the deployed mitigations against speculative execution attacks. Moreover, since crashes and the probe execution, in general, are suppressed on speculative paths, speculative probing cannot be detected by existing BROP-style defenses such as anomalous crash detection  and booby-trapping [18,23]. This allows blind attack-ers to stealthily probe for gadgets by speculatively executing them.Blindside Whitepaper
The researchers used Intel’s Skylake/Coffee Lake/Whiskey Lake as well as AMD’s Zen+/Zen 2 based processors for testing this vulnerability. Comet Lake is most likely vulnerable to this attack as well. It’s unclear whether the 10nm Ice Lake chips are also affected by this security flaw.