Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Researchers Bypass ASLR via Hardware Vulnerability

Researchers from two universities in the United States have disclosed a new method for bypassing Address Space Layout Randomization (ASLR) by exploiting a hardware vulnerability.

Researchers from two universities in the United States have disclosed a new method for bypassing Address Space Layout Randomization (ASLR) by exploiting a hardware vulnerability.

ASLR is a technique designed to mitigate memory corruption attacks, such as stack and heap buffer overflows, by randomly arranging the address space positions of key data areas. ASLR has been used in many operating systems, including Linux, iOS, OS X, Windows and Android.

Over the past years, researchers have disclosed several ASLR bypass methods and such techniques have also been spotted in several sophisticated cyber espionage operations.

Now, a team of researchers from the State University of New York at Binghamton and the University of California, Riverside, claim to have found a new ASLR bypass technique that involves a side-channel attack on the branch target buffer (BTB), a cache-like component used in CPUs for branch prediction.

According to experts, an attacker can create BTB collisions between two user-level processes or between a kernel and a user process in a controlled and robust manner.

“The collisions can be easily detected by the attacker because they impact the timing of the attacker-controlled code. Identifying the BTB collisions allows the attacker to determine the exact locations of known branch instructions in the code segment of the kernel or of the victim process, thus disclosing the ASLR offset,” researchers explained in their paper.

The experts demonstrated the attack method on an Intel Haswell CPU and a recent version of the Linux kernel, but they believe the method can also be applied to Windows, Android and even virtualization systems such as KVM (Kernel-based Virtual Machine). In their experiments, they managed to reliably recover the kernel-level ASLR in roughly 60 milliseconds.

Advertisement. Scroll to continue reading.

A series of hardware and software mitigations have been proposed for preventing these types of bypass techniques. The hardware mitigations include changing the BTB addressing mechanism to prevent exploitable collisions in the BTB, and using different indexing functions for user and kernel-level code.

Software countermeasures are more limited, but experts believe the use of finer-grained ASLR schemes that can randomize code at the level of functions, basic blocks and instructions could make attacks more difficult to carry out.

Related Reading: Researchers Use Disk Cleanup to Bypass UAC on Windows 10

Related Reading: Researchers Leverage RKP Module to Bypass Samsung KNOX

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.