Researchers bypass ASLR protection with simple JavaScript code

A group of researchers from the Systems and Network Security Group at VU Amsterdam have discovered a way to bypass address space layout randomization (ASLR) protections of major operating systems and browsers by exploiting a common feature of computer microprocessors.

By combining simple JavaScript code to target this feature with exploit code for browser or OS vulnerabilities, they were able to compromise vulnerable systems, as demonstrated in this video (on Linux and Firefox):

What is ASLR?

As its name suggests, address space layout randomization’s goal is to prevent attackers from knowing and misusing an application’s code and data by randomizing its location in the virtual address space.

Most modern operating systems use this technique, including Windows, maOS, Linux, several Unix-like OSes, Android, and iOS. Modern browsers also employ it.

The attack, and the feature that allows it

“The memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks. Unfortunately, this cache hierarchy is also shared by untrustred applications, such as JavaScript code running in the browser,” the researchers explained.

“Our attack relies on the interplay between the MMU and the caches during virtual to physical address translation—core hardware behavior that is central to efficient code execution on modern CPUs. We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU. As a result, an attacker can derandomize virtual addresses of a victim’s code and data by locating the cache lines that store the page-table entries used for address translation.”

This knowledge allows attackers to successfully execute malicious payloads on the targeted system, instead of crashing it.

The researchers have found that 22 different microarchitectures from Intel, ARM and AMD processors allow the observation of the MMU signal and, therefore, the attack. Also, it takes just a few minutes to execute it.

What now?

The researchers have dubbed the attack ASLR Cache (aka AnC), and say that fixing the problem is going to be difficult.

“Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical. Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software,” they noted.

They have disclosed their findings to the various processor, browser and OS vendors.

“Some processor vendors agreed with our findings that ASLR is no longer a viable security defense at least for the browsers. Others did not dispute our findings. From the browser vendors, most found AnC relevant,” they noted, and added that they’ve worked with the Apple Product Security Team to help them harden WebKit against the AnC attack.

They have offered more mitigation idea for both the hardware and software makers in their paper.

End users can protect themselves against such an attack by using plugins (e.g. NoScript, ScriptSafe) that prevent browsers from automatically running untrusted JavaScript present on web pages. Unfortunately, this also means that the fluidity of their web browsing will be somewhat affected.

Although the researchers will not release the JavaScript version of their attack, they predict that advanced adversaries could replicate their results in a matter of weeks, given the details they shared in their paper.