A group of scientists from two US universities devised a method to bypass it protections ASLR (Address Space Layout Randomization) via the BTB (Branch Target Buffer), a component included in many modern CPU architectures, such as the Intel Haswell processors that were the processor they used for testing in their research.
ASLR protection is a security feature that features all major operating systems and is part of Windows, Linux, MacOS, iOS and Android for many years.
The feature works by receiving data objects that are sent to the CPU for the processing and assigning them to a random address space where they are executed internally μνήμηof the computer (RAM).
Because most "takeover" vulnerabilities are based on their corruption data of memory through buffer overflows, an attacker would need to know how to create malicious exploits in order to trick the computer into executing the malicious code. To do this, it needs to know the address space that an application uses to execute code inside the computer's memory. This can be determined quite easily by analyzing the source code of the application.
That's where ASLR comes in, which encrypts memory addresses by keeping them in an index. So if the ASLR is working properly, the malware or exploits will "hit" the wrong memory locations, leaving the computer safe and sound.
In a paper released this week, a team of computer science experts said they identified a problem with BTB, a cache system that monitors memory locations. Processors that use BTB to speed up processes, work just like a browser cache commonly used to speed up the websites you've already visited.
The technique described by the researchers allows them to retrieve the data from the CPU core containing ASLR index tables, allowing attackers to know where the code of a particular application runs to fine-tune their exploits.
"The described attack can take place in a very short time: it only takes 60 milliseconds to collect the required number of samples," the researchers said in their study.
The attack requires a special program that has only been tested on a Linux machine with an Intel Haswell processor. However, the researchers say that the same attack should theoretically work on any other operating system, even KVMs (Kernel Virtual Machines), which are bare-bone operating systems developed with cloud services.
The three researchers at their work propose a series of hardware and software fixes that can mitigate these kinds of attacks. The easiest solution is based on a software that asks OS vendors to implement ASLR protection at the level of code functions rather than through data objects.
The research work entitled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR has been written by Dmitry Evtyushkin and Dmitry Ponomarev from State University of New York and Nael Abu-Ghazaleh from the University of California.
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR