A team of scientists from two US universities devised a method of bypassing ASLR (Address Space Layout Randomization) protection through BTB (Branch Target buffer), a component included in many modern CPU architectures, such as processors Intel Haswell which was also the processor they used for the tests in their research.
The feature works with the download date objects that are sent to the CPU for processing and assignment to a random address space where they run inside the computer's memory (RAM).
Because most "takeover" vulnerabilities are based on the corruption of memory data through buffer overflows, an attacker should know how to create malware exploits in order to trick the computer into executing the malicious code. To do this, you need to know the address space that an application uses to execute code inside the computer's memory. This can be determined quite easily by analyzing the source code of the application.
That's where ASLR comes in, which encrypts memory addresses by keeping them in an index. So if ASLR is working properly, the malware or exploits They "hit" wrong memory locations, leaving the computer safe and sound.
In a paper released this week, a team of computer science experts said they had identified a problem with BTB, a cache system that tracks memory locations. Processors that use BTB to speed up processes work just like one cache of browser commonly used to speed up websites you have already visited.
The technique described by the researchers allows them to retrieve data from the CPU core containing ASLR index tables, which allows attackers to know where the code of a particular application is running so that they can refine the data. exploit their.
"The described attack can take place in a very short time: it only takes 60 milliseconds to collect the required number of samples," the researchers said in their study.
The attack requires a special program that has only been tested on one machine Linux with processor Intel Haswell. Nevertheless, the researchers say that the same attack should theoretically work on any other operating system, even KVMs (Kernel Virtual Machines), which are bare-bone operating systems developed with services in cloud.
The three researchers in their work, suggest a series of corrections in hardware and software that can mitigate these types of attacks. The easiest solution is based on software that asks OS vendors to implement ASLR protection at the level of code functions and not through date objects.
The research work entitled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR has been written by Dmitry Evtyushkin and Dmitry Ponomarev from State University of New York and Nael Abu-Ghazaleh from the University of California.