Posted on Wednesday, October 19 2016 @ 16:14 CEST by Thomas De Maesschalck
ASLR does what it name suggests, it randomizes the location in your PC's memory where software loads specific lines of code. This aids to limit the damage of exploits, often resulting in just a system crash rather than a full system compromise.
Unfortunately, the researchers discovered that Intel's Haswell processor has a side channel flaw in its branch predictor that discloses the memory locations. This branch predictor boosts performance by anticipating the addresses where soon-to-be-executed instructions are located. The attack works by exploiting collisions in the branch target buffer table to discover where the software loads specific chunks of code.
As reported by ARS Technica, malware creators could abuse this flaw to make attacks more potent:
Nothing's stopping malicious attackers from bundling a similar bypass app with attack code that exploits a critical OS or application vulnerability. The exploit could then use the disclosed memory location to ensure malicious payloads are successfully executed by a targeted computer, instead of being flushed without ever being run, as is normally the case when ASLR is active. The researchers believe that ASLR implemented by both Microsoft Windows and Apple's OS X is similarly vulnerable. They have yet to perform research on other chip architectures to see if they also contain side channels that defeat ASLR.Attacks based on this method work on multiple operating systems and also work across virtualization boundaries. While the paper provided proof-of-concept using the Intel Core i7-4800MQ processor, it's unknown if other Intel CPU generations or perhaps even AMD processors are vulnerable.
