A team of scientists from two US universities devised a method to bypass ASLR (Address Space Layout Randomization) protection through BTB (Branch Target buffer), ενός συστατικού που συμπεριλαμβάνεται σε πολλές σύγχρονες αρχιτεκτονικές CPU, όπως οι επεξεργαστές Intel Haswell που ήταν και ο επεξεργαστής που χρησιμοποίησαν για τις δοκιμές στην έρευνά τους.
ASLR protection is a security feature that features all major operating systems and is part of Windows, Linux, MacOS, iOS and Android for many years.
The feature works by downloading data objects sent to the CPU for processing and assigning them to a random address space where they run internally of the computer's (RAM) memory.
And because most takeover vulnerabilities rely on corrupting memory data via buffer overflows, an attacker would need to know how to create malicious exploits in order to trick the computer into executing the malicious code. To do this, it needs to know the address space that an application uses to execute code inside the computer's memory. This can be determined fairly easily by analyzing the application's source code.
That's where ASLR comes in, which encrypts memory addresses by keeping them in an index. So if the ASLR is working properly, the malware or exploits will "hit" the wrong memory locations, leaving the computer safe and sound.
In a paper released this week, a team of computer science experts said they identified a problem with BTB, a cache system that monitors memory locations. Processors that use BTB to speed up processes, work just like a browser cache commonly used to speed up the websites you've already visited.
The technique described by the researchers allows them to recover the data from the CPU core containing ASLR index tables, which lets attackers know where a particular application's code is running so they can fine-tune their exploits.
"The described attack can take place in a very short time: it only takes 60 milliseconds to collect the required number of samples," the researchers said in their study.
The attack requires a special program that has only been tested on a Linux machine with an Intel Haswell processor. However, the researchers report that the same attack should theoretically work on any other operating system, even on KVMs (Kernel Virtual Machines), which are bare-bones operating systems developed with services cloud
The three researchers at their work propose a series of hardware and software fixes that can mitigate these kinds of attacks. The easiest solution is based on a software that asks OS vendors to implement ASLR protection at the level of code functions rather than through data objects.
The research paper, titled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, was authored by Dmitry Evtyushkin and Dmitry Ponomarev from the State University of New York and Nael Abu-Ghazaleh from the University of California.
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR