Security researchers say ASLR can no longer be trusted upon

Posted on Wednesday, February 15 2017 @ 14:21 CET by Thomas De Maesschalck
A new discovery by a team of security researchers suggests address space layout randomization (ASLR) can no longer be trusted as a first line of defense against malware attacks. The technique has seen great success over the last decade because it makes it much harder to exploit buffer overflows and similar vulnerabilities, but now security researchers discovered a piece of JavaScript code can reliably bypass ASLR by exploiting a property found in all modern processors.

The trick derandomizes ASLR by exploiting hardware behaviour that is critical to efficient code execution. It's not dependent on specific software and 22 microarchitectures from Intel, AMD and ARM were found vulnerable.
In this paper, we show that the problem is much more serious and that ASLR is fundamentally insecure on modern cache-based architectures. Specifically, we show that it is possible to derandomize ASLR completely from JavaScript, without resorting to esoteric operating system or application features. Unlike all previous approaches, we do not abuse weaknesses in the software (that are relatively easy to fix). Instead, our attack builds on hardware behavior that is central to efficient code execution: the fast translation of virtual to physical addresses in the MMU by means of page tables. As a result, all fixes to our attacks (e.g., naively disabling caching) are likely too costly in performance to be practical. To our knowledge, this is the first attack that side-channels the MMU and also the very first cache attack that targets a victim hardware rather than software component.
More details about the ASLR Cache can be read at ARS Technica. The researchers conclude there is no easy way to fix this as architectural fixes are likely to be too costly in terms of performance to be practical, and new hardware-based mitigation techniques may cause the vulnerability to resurface in software. Disabling JavaScript does the trick but that also cripples most modern websites.



About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments