Intel Coffee Lake and AMD Zen+/Zen 2 Vulnerable to New “BlindSide” Speculative Execution Attack

Researchers from Amsterdam have shared details about a new Spectre-style speculative execution vulnerability in the latest AMD and Intel processors. Dubbed “Blindside”, it allows attackers to “hack blind” in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. This works even in face of strong randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory, and state-of-the-art mitigations against Spectre and other transient execution attacks.

Using a single buffer overflow in the kernel, there are three BlindSide exploits that are able to break the Kernel Address Space Layout Randomizer (KASLR), arbitrary randomization schemes including fine-grained randomization:

Exploit 1 – Breaking KASLR with BlindSide to mount a reliable ROP exploit; Exploit 2 – Breaking arbitrary randomization schemes with BlindSide to mount an architectural data-only exploit (leaking the root password hash); Exploit 3 – Breaking fine-grained randomization and kernel execute-only memory to dump the full kernel text and mount a reliable ROP exploit.

We present BlindSide, a new exploitation technique at the convergence point of software and Spectre exploitation. Blind-Side uses speculative execution to turn a single memory corruption vulnerability into powerful speculative probing primitives. These primitives leak information by observing microarchitectural side effects rather than architectural side effects such as crashes, by-passing strong leakage-resistant randomization defenses. The key idea of using a software vulnerability instead of indirect branch poisoning [53] or injection [90] also allows attackers to bypass all the deployed mitigations against speculative execution attacks. Moreover, since crashes and the probe execution, in general, are suppressed on speculative paths, speculative probing cannot be detected by existing BROP-style defenses such as anomalous crash detection [35] and booby-trapping [18,23]. This allows blind attack-ers to stealthily probe for gadgets by speculatively executing them.

Blindside Whitepaper

The researchers used Intel’s Skylake/Coffee Lake/Whiskey Lake as well as AMD’s Zen+/Zen 2 based processors for testing this vulnerability. Comet Lake is most likely vulnerable to this attack as well. It’s unclear whether the 10nm Ice Lake chips are also affected by this security flaw.



Computer Engineering dropout (3 years), writer, journalist, and amateur poet. I started Techquila while in college to address my hardware passion. Although largely successful, it suffered from many internal weaknesses. Left and now working on Hardware Times, a site purely dedicated to.Processor architectures and in-depth benchmarks. That's what we do here at Hardware Times!
Back to top button