Address space layout randomization is an important first line of defense against malicious software: by randomizing where in memory instructions are stored, ASLR makes it much harder to overwrite memory with new code that will be jumped to as a program executes, offering significant protection against buffer overflow attacks.
A group of researchers from Vrije Universiteit published a research paper today, in which they demonstrate a side-channel attack against the CPU's memory management unit that allows malicious code to bypass ASLR, using Javascript code running inside a sandboxed browser.
The vulnerability is common to at least 22 identified processor architectures from ARM, Intel and AMD. The researchers don't believe there is a cost-effective countermeasure for their attack and say that we should give up on ASLR as a first line of defense immediately.
AnC works by using what's known as an EVICT+TIME cache attack that detects which memory locations are accessed by a CPU's MMU. The researchers identified 22 microarchitectures from Intel, Advanced Micro Devices, and ARM that were vulnerable. They went on to say they have yet to test an architecture that didn't provide the MMU signal necessary to exploit the side channel. The vulnerabilities are indexed as CVE-2017-5925 as they apply to Intel processors, CVE-2017-5926 for AMD processors, CVE-2017-5927 for ARM processors, and CVE-2017-5928 for a timing issue affecting multiple browsers. The paper was written by Ben Gras, Keveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida of the VUsec systems security group at the University of Amsterdam. They have published this resource page with additional information about the technique.
Given how crucial caching is to the performance of modern CPUs, the researchers say architectural fixes are likely to be too costly to be feasible. And even if hardware mitigations are possible—say, by creating a separate cache for page tables—the researchers warn that the vulnerability may resurface in software. They conclude their findings with a recommendation that's sure to get the attention of software developers everywhere:
"We hence recommend ASLR to no longer be trusted as a first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."
New ASLR-busting JavaScript is about to make drive-by exploits much nastier
[Dan Goodin/Ars Technica]
ASLR on the Line: Practical Cache Attacks on the MMU [Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida/Vrije Universiteit]
