A group of researchers from the Systems and Network Security Group at VU Amsterdam have discovered a way to bypass address space layout randomization (ASLR) protections of major operating systems and browsers by exploiting a common feature of computer microprocessors.
What is ASLR?
As its name suggests, address space layout randomization’s goal is to prevent attackers from knowing and misusing an application’s code and data by randomizing its location in the virtual address space.
Most modern operating systems use this technique, including Windows, maOS, Linux, several Unix-like OSes, Android, and iOS. Modern browsers also employ it.
The attack, and the feature that allows it
“Our attack relies on the interplay between the MMU and the caches during virtual to physical address translation—core hardware behavior that is central to efficient code execution on modern CPUs. We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU. As a result, an attacker can derandomize virtual addresses of a victim’s code and data by locating the cache lines that store the page-table entries used for address translation.”
This knowledge allows attackers to successfully execute malicious payloads on the targeted system, instead of crashing it.
The researchers have found that 22 different microarchitectures from Intel, ARM and AMD processors allow the observation of the MMU signal and, therefore, the attack. Also, it takes just a few minutes to execute it.
The researchers have dubbed the attack ASLR Cache (aka AnC), and say that fixing the problem is going to be difficult.
“Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical. Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software,” they noted.
They have disclosed their findings to the various processor, browser and OS vendors.
“Some processor vendors agreed with our findings that ASLR is no longer a viable security defense at least for the browsers. Others did not dispute our findings. From the browser vendors, most found AnC relevant,” they noted, and added that they’ve worked with the Apple Product Security Team to help them harden WebKit against the AnC attack.
They have offered more mitigation idea for both the hardware and software makers in their paper.