Vulnerabilities tagged 'interesting exploit'

Spook.js - Speculative Type Confusion

The cool part of this paper is the speculative type confusion attack where the browser’s optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.