{"guid":"4c92b3f4-e32a-483b-9e5f-4e8201849284","title":"Memory Deduplication: The Curse that Keeps on Giving","subtitle":"A tale of 3 different memory deduplication based exploitation techniques","slug":"33c3-8022-memory_deduplication_the_curse_that_keeps_on_giving","link":"https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8022.html","description":"We are 4 security researchers who have collectively worked on 3 different attack techniques that all (ab)use memory deduplication in one way or another. There is a cross-vm data leak attack, a cross-vm data write attack, and an in-sandbox (MS Edge) Javascript data leak + full memory read/write attack based in MS Edge.\n\nIn this talk we detail how memory deduplication works and the many different ways it is exploited in our attacks.","original_language":"eng","persons":["Ben Gras","Kaveh Razavi","brainsmoke","Antonio Barresi"],"tags":["Security"],"view_count":2659,"promoted":false,"date":"2016-12-29T12:45:00.000+01:00","release_date":"2016-12-29T01:00:00.000+01:00","updated_at":"2026-03-25T15:00:06.672+01:00","length":3550,"duration":3550,"thumb_url":"https://static.media.ccc.de/media/congress/2016/8022-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2016/8022-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2016/4c92b3f4-e32a-483b-9e5f-4e8201849284-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2016/4c92b3f4-e32a-483b-9e5f-4e8201849284-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/33c3-8022-memory_deduplication_the_curse_that_keeps_on_giving","url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_title":"33C3: works for me","conference_url":"https://api.media.ccc.de/public/conferences/33c3","related":[{"event_id":3606,"event_guid":"1aa7a4c5-1a3f-444f-99fb-e9c7b4744794","weight":19},{"event_id":3607,"event_guid":"64c07cb5-ec19-4972-a2c8-96c0e0df83c6","weight":71},{"event_id":3687,"event_guid":"5ae90a09-0b83-4357-bdb4-9afc04100c68","weight":24},{"event_id":3689,"event_guid":"1f7eb981-2819-4824-8f40-4ddde0be7bf3","weight":20},{"event_id":3692,"event_guid":"f21478d4-e8db-4f19-854c-2f74b5824706","weight":19},{"event_id":3698,"event_guid":"994082de-ef8e-4f8e-8c46-ec0eb110b845","weight":27},{"event_id":3699,"event_guid":"0d02bd82-f771-471c-b4bb-5e24b755b169","weight":36},{"event_id":3705,"event_guid":"b8d9fac7-bbe6-40da-aa80-aed27f77a708","weight":21},{"event_id":3708,"event_guid":"aaec73e9-66b9-46d2-aa0f-9f43018198ea","weight":27},{"event_id":3712,"event_guid":"cb23378b-6db0-4e2f-a4c8-f5006a467ca3","weight":20},{"event_id":3722,"event_guid":"b5b4ce04-1e4b-4e09-8347-4e72cb5f90b9","weight":24},{"event_id":3731,"event_guid":"bc638f9f-0370-42f9-b83c-f85cca4ca38d","weight":45},{"event_id":3733,"event_guid":"855ab830-c6c0-4be7-b84c-31ba78e90e3c","weight":21},{"event_id":3734,"event_guid":"34ea8f1f-9fad-41aa-8424-e833f10e5e8b","weight":32},{"event_id":3742,"event_guid":"7a5971c8-746b-4450-ba89-6569667f77c2","weight":37},{"event_id":3762,"event_guid":"25e2df7d-5740-4c2f-bc34-986326d606fe","weight":21}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.en_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-15T17:32:21.656+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/DRAFT_33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/50609","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":270,"length":3550,"mime_type":"video/mp4","language":"eng","filename":"33c3-8022-eng-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T22:30:28.323+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-8022-eng-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.mp4","url":"https://api.media.ccc.de/public/recordings/14358","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":310,"length":3550,"mime_type":"video/mp4","language":"deu","filename":"33c3-8022-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T22:30:44.920+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-8022-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.mp4","url":"https://api.media.ccc.de/public/recordings/14359","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":393,"length":3550,"mime_type":"video/mp4","language":"eng-deu","filename":"33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T22:31:00.621+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_hd.mp4","url":"https://api.media.ccc.de/public/recordings/14360","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":53,"length":3537,"mime_type":"audio/mpeg","language":"eng","filename":"33c3-8022-eng-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2016-12-29T22:46:43.948+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/mp3/33c3-8022-eng-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.mp3","url":"https://api.media.ccc.de/public/recordings/14378","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":44,"length":3537,"mime_type":"audio/opus","language":"eng","filename":"33c3-8022-eng-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2016-12-29T22:47:11.828+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/opus/33c3-8022-eng-Memory_Deduplication_The_Curse_that_Keeps_on_Giving.opus","url":"https://api.media.ccc.de/public/recordings/14379","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":149,"length":3550,"mime_type":"video/mp4","language":"eng-deu","filename":"33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2016-12-30T10:54:52.101+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-sd/33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_sd.mp4","url":"https://api.media.ccc.de/public/recordings/14496","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":139,"length":3550,"mime_type":"video/webm","language":"eng-deu","filename":"33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2016-12-30T10:55:24.110+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/webm-sd/33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/14497","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":323,"length":3550,"mime_type":"video/webm","language":"eng-deu","filename":"33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-30T10:56:06.874+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/webm-hd/33c3-8022-eng-deu-Memory_Deduplication_The_Curse_that_Keeps_on_Giving_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/14498","event_url":"https://api.media.ccc.de/public/events/4c92b3f4-e32a-483b-9e5f-4e8201849284","conference_url":"https://api.media.ccc.de/public/conferences/33c3"}]}