Researchers bypass ASLR by exploiting flaw in Intel chip
Researchers have found a design flaw in the branch predictor, a component of Intel’s Haswell processor, and have exploited it to bypass ASLR (Address Space Layout Randomization).
What is ASLR?
ASLR is a defense mechanism present in major operating systems and many applications, and protects systems from common attacks such as buffer overflow and return-oriented programming attacks.
It does so by randomly arranging the address space positions of key data areas of a process in the computer’s memory, which makes it hard for attackers to pinpoint a memory location that would allow their payload to run as required.
The attack
“Our attack exploits the observation that an adversary can create branch target buffer (BTB) collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf. These collisions, in turn, can impact the timing of the attacker’s code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel,” the researchers explained.
They have successfully tested their attack app on a real Haswell processor running Ubuntu and a recent version of Linux kernel, but believe it could work just as well on Windows and OS X machines. According to UCR Today, their attack also works on virtualization systems, which are often used for setting up cloud computing systems.
The researchers have not yet tested other chips currently in use.
What can be done to prevent such attacks?
Nael Abu-Ghazaleh – a professor of computer science and engineering at University of California, Riverside, and one of the researchers who managed this feat – noted that the underlying hardware and computer architecture play an important role in computer security, “both in terms of introducing new vulnerabilities as well as supporting more secure software.”
The group, which also includes professor Dmitry Ponomarev and doctoral student Dmitry Evtyushkin from the computer science department at the State University of New York at Binghamton, has proposed several software and hardware solutions and or/mitigations for the problem.
Intel is yet to officially comment on the findings in the published paper.