Researchers show they can beat address space layout randomization with Javascript in a browser (!)

Address space layout randomization is an important first line of defense against malicious software: by randomizing where in memory instructions are stored, ASLR makes it much harder to overwrite memory with new code that will be jumped to as a program executes, offering significant protection against buffer overflow attacks.

A group of researchers from Vrije Universiteit published a research paper today, in which they demonstrate a side-channel attack against the CPU's memory management unit that allows malicious code to bypass ASLR, using Javascript code running inside a sandboxed browser.

The vulnerability is common to at least 22 identified processor architectures from ARM, Intel and AMD. The researchers don't believe there is a cost-effective countermeasure for their attack and say that we should give up on ASLR as a first line of defense immediately.

AnC works by using what's known as an EVICT+TIME cache attack that detects which memory locations are accessed by a CPU's MMU. The researchers identified 22 microarchitectures from Intel, Advanced Micro Devices, and ARM that were vulnerable. They went on to say they have yet to test an architecture that didn't provide the MMU signal necessary to exploit the side channel. The vulnerabilities are indexed as CVE-2017-5925 as they apply to Intel processors, CVE-2017-5926 for AMD processors, CVE-2017-5927 for ARM processors, and CVE-2017-5928 for a timing issue affecting multiple browsers. The paper was written by Ben Gras, Keveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida of the VUsec systems security group at the University of Amsterdam. They have published this resource page with additional information about the technique.

Given how crucial caching is to the performance of modern CPUs, the researchers say architectural fixes are likely to be too costly to be feasible. And even if hardware mitigations are possible—say, by creating a separate cache for page tables—the researchers warn that the vulnerability may resurface in software. They conclude their findings with a recommendation that's sure to get the attention of software developers everywhere:

"We hence recommend ASLR to no longer be trusted as a first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."

New ASLR-busting JavaScript is about to make drive-by exploits much nastier [Dan Goodin/Ars Technica]

ASLR on the Line: Practical Cache Attacks on the MMU [Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida/Vrije Universiteit]

Notable Replies

  1. This gives me hope for breaking out of this holographically simulated universe.

  2. I don't understand why an OS would allow a userspace application read access to memory addresses not assigned to a userspace application.

  3. It doesn't. The paper is describing a method by which you can figure out which randomly assigned portion of the address space you got, by doing a timing attack on the MMU.

    By itself this is useless. The point is that the reason people are doing address space randomization in the first place is to make exploiting security flaws such as buffer overflows more difficult.

  4. enso says:

    My life, every week.

  5. This is how I explain computer problems to my cat. My cat usually seems happier than me.

    Annoyingly apt; I can't get the alt-text to work. I mostly just type raw HTML into forums, but that doesn't seem to reliably work in discourse....

Continue the discussion

2 more replies