Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation
Mathé Hertogh, Sander Wiebing, Cristiano Giuffrida
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 5
This talk, presented by Mathé Hertogh, Sander Wiebing, and Cristiano Giuffrida from VUsec, introduces a novel and concerning development in the landscape of speculative execution attacks, specifically **Spectre**. The research re-enables Spectre attacks via a new class of disclosure gadget, termed "unmasked gadgets," which were previously believed to be unexploitable. The core finding is the ability to achieve arbitrary ASCII data leakage, such as extracting the `/etc/shadow` file from the kernel, even from a user-space process. This is demonstrated not only on older generation AMD CPUs but, critically, the techniques developed primarily focus on bypassing architectural and microarchitectural protections on future generation Intel, AMD, and ARM CPUs.
AI review
This research fundamentally re-enables Spectre via a novel class of "unmasked" gadgets, previously considered unexploitable. By abusing future CPU features like LAM and leveraging the TLB as a covert channel, it achieves arbitrary kernel data leakage, forcing a critical re-evaluation of speculative execution mitigations across industry.