Researchers at the State University of New York and University of California have devised a technique that bypasses a key security protection built into just about every operating system. If the issue is left unfixed, it could make malware attacks much more potent.
In their paper, titled “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR”, researchers explained that they “develop an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB).”
Address space layout randomization, or ASLR, is a defense against a class of widely used attacks that surreptitiously install malware by exploiting vulnerabilities in an operating system or application. By randomizing the locations in computer memory where software loads specific chunks of code, ASLR often limits the damage of such exploits to a simple computer crash, rather than a catastrophic system compromise. Now, academic researchers have identified a flaw in Intel chips that allows them to effectively bypass this protection. The result are exploits that are much more effective than they would otherwise be.
Such attack “exploits the observation that an adversary can create BTB collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf. These collisions, in turn, can impact the timing of the attacker’s code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel.”
The result should that attackers “can reliably recover kernel ASLR in about 60 milliseconds when performed on a real Haswell processor running a recent version of Linux.”
Nael Abu-Ghazaleh, one of the computer scientists , said, “ASLR is an important defense deployed by all commercial Operating Systems. It is often the only line of defense that prevents an attacker from exploiting any of a wide range of attacks (those that rely on knowing the memory layout of the victim). A weakness in the hardware that allows ASLR to be bypassed can open the door to many attacks that are stopped by ASLR. It also highlights the need for CPU designers to be aware of security as part of the design of new processors.”