Μια ομάδα επιστημόνων από δύο πανεπιστήμια των ΗΠΑ επινόησε μια μέθοδο παράκαμψης της προστασίας ASLR (Address Space Layout Randomization) μέσω του BTB (Branch Target Buffer), ενός συστατικού που συμπεριλαμβάνεται σε πολλές σύγχρονες αρχιτεκτονικές CPU, όπως οι επεξεργαστές Intel Haswell which was also the processor they used for testing in their research.
ASLR protection is a security feature that all major operating systems have and is part of Windows, Linux, MacOS, iOS and Android for too many years.
The feature works by downloading data objects sent to the CPU for processing and assigning them to a random address space where they run internally of the computer's (RAM) memory.
Because most "takeover" vulnerabilities rely on memory data corruption through buffer overflows, an attacker must know how to create malicious exploits in order to trick the computer into executing malicious code. To do this, you need to know the address space that an application uses to execute code inside the computer's memory. This can be determined quite easily by analyzing the source code of the application.
That's where ASLR comes in, which encrypts memory addresses by keeping them in an index. So if the ASLR is working properly, the malware or exploits will "hit" the wrong memory locations, leaving the computer safe and sound.
Σε ένα paper που κυκλοφόρησε αυτή την εβδομάδα, μια ομάδα εμπειρογνωμόνων της επιστήμης των υπολογιστών, αναφέρει ότι εντόπισαν ένα πρόβλημα στο BTB, ένα σύστημα κρυφής μνήμης που παρακολουθεί τις θέσεις μνήμης. Οι επεξεργαστές που χρησιμοποιούν το BTB για να επιταχύνουν τις διαδικασίες, λειτουργούν ακριβώς όπως και ένα cache του browser which is usually used to speed up the web pages you have already visited.
The technique described by the researchers allows them to retrieve the data from the CPU core containing ASLR index tables, allowing attackers to know where the code of a particular application runs to fine-tune their exploits.
"The described attack can take place in a very short time: it only takes 60 milliseconds to collect the required number of samples," the researchers said in their study.
The attack requires a special program that has only been tested on a Linux machine with an Intel Haswell processor. However, the researchers report that the same attack should theoretically work on any other operating system, even on KVMs (Kernel Virtual Machines), which are bare-bone operating systems developed with cloud services.
The three researchers at their work propose a series of hardware and software fixes that can mitigate these kinds of attacks. The easiest solution is based on a software that asks OS vendors to implement ASLR protection at the level of code functions rather than through data objects.
The research paper, titled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, was authored by Dmitry Evtyushkin and Dmitry Ponomarev from the State University of New York and Nael Abu-Ghazaleh from the University of California.
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
