Two methods for exploiting speculative control flow hijacks


Andrea Mambretti, Northeastern University; Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, and Anil Kurmus, IBM Research - Zurich


Touted as the buffer overflows of the age, Spectre and Meltdown have created significant interest around microarchitectural vulnerabilities and have been instrumental for the discovery of new classes of attacks. Yet, to-date, real-world exploits are rare since they often either require gadgets that are difficult to locate, or they require the ability of the attacker to inject code. In this work, we uncover two new classes of gadgets with very few restrictions on their structure, making them suitable for real-world exploitation. We demonstrate -- through PoCs -- their suitability to leak one bit and one byte respectively per successful attack, achieving high success rates and low noise on the constructed side-channel. We test our attack PoC on various kernels with default mitigations enabled, showing how they are insufficient to protect against them. We also show that hardening the configuration of mitigations successfully prevents exploitation, making a case for their wider adoption.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238598,
author = {Andrea Mambretti and Alexandra Sandulescu and Matthias Neugschwandtner and Alessandro Sorniotti and Anil Kurmus},
title = {Two methods for exploiting speculative control flow hijacks},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {},
publisher = {USENIX Association},
month = aug