On the Weakness of Constant Blinding PRNG in Flash Player

Constant blinding is considered an effective mitigation against JIT spray attacks. In this paper, we study the design and implementation of constant blinding mechanism in Flash Player and analyse the weakness in its pseudo random number generator (PRNG). We demonstrate how such weakness can be exploited to recover the seed value in PRNG, thus bypass the constant blinding in Flash Player.