A team of scientists from two US universities devised a method of bypassing the ASLR (Address Space Layout Randomization) through the BTB (Branch Target Buffer), a component that is included in many modern CPU architectures, such as the Intel Haswell processors, which they used for testing in their research.
ASLR protection is a security feature that features all major operating systems and is part of Windows, Linux, MacOS, iOS and Android for many years.
The feature works by downloading data objects sent to the CPU for processing and assigning them to a random address space where they run internally of the computer's (RAM) memory.
Because most "takeover" vulnerabilities rely on memory data corruption through buffer overflows, an attacker must know how to create malicious exploits in order to trick the computer into executing malicious code. To do this, you need to know the address space that an application uses to execute code inside the computer's memory. This can be determined quite easily by analyzing the source code of the application.
That's where ASLR comes in which encrypts memory addresses by holding them in an index. So if ASLR is working properly, the malware or exploits "hit" the wrong memory locations, leaving the computer safe and sound.
In a paper released this week, a group of experts in the science of computers, reports that they found a problem in BTB, a cache system that keeps track of memory locations. Processors that use BTB to speed up processes work just like a browser cache that is commonly used to speed up websites you've already visited.
The technique described by researchers, allows them to retrieve data from the CPU core that contains ASLR pointer arrays, which lets attackers know where a specific application's code is running so they can fine-tune their exploits.
"The described attack can be carried out in a very short time: only 60 milliseconds are required for collection of the required number of samples" the researchers report in their paper.
The attack requires a special program that has only been tested on a Linux machine with an Intel Haswell processor. However, the researchers say that the same attack should theoretically work on any other operating system, even KVMs (Kernel Virtual Machines), which are bare-bone operating systems developed with cloud services.
The three researchers at their work propose a series of hardware and software fixes that can mitigate these kinds of attacks. The easiest solution is based on a software that asks OS vendors to implement ASLR protection at the level of code functions rather than through data objects.
Την ερευνητική εργασία, με τίτλο Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, έχουν συγγράψει οι Dmitry Evtyushkin και Dmitry Ponomarev από το State University of New York και ο Nael Abu-Ghazaleh από το University of California.
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
