Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Bypass ASLR via Hardware Vulnerability

Researchers from two universities in the United States have disclosed a new method for bypassing Address Space Layout Randomization (ASLR) by exploiting a hardware vulnerability.

Researchers from two universities in the United States have disclosed a new method for bypassing Address Space Layout Randomization (ASLR) by exploiting a hardware vulnerability.

ASLR is a technique designed to mitigate memory corruption attacks, such as stack and heap buffer overflows, by randomly arranging the address space positions of key data areas. ASLR has been used in many operating systems, including Linux, iOS, OS X, Windows and Android.

Over the past years, researchers have disclosed several ASLR bypass methods and such techniques have also been spotted in several sophisticated cyber espionage operations.

Now, a team of researchers from the State University of New York at Binghamton and the University of California, Riverside, claim to have found a new ASLR bypass technique that involves a side-channel attack on the branch target buffer (BTB), a cache-like component used in CPUs for branch prediction.

According to experts, an attacker can create BTB collisions between two user-level processes or between a kernel and a user process in a controlled and robust manner.

“The collisions can be easily detected by the attacker because they impact the timing of the attacker-controlled code. Identifying the BTB collisions allows the attacker to determine the exact locations of known branch instructions in the code segment of the kernel or of the victim process, thus disclosing the ASLR offset,” researchers explained in their paper.

The experts demonstrated the attack method on an Intel Haswell CPU and a recent version of the Linux kernel, but they believe the method can also be applied to Windows, Android and even virtualization systems such as KVM (Kernel-based Virtual Machine). In their experiments, they managed to reliably recover the kernel-level ASLR in roughly 60 milliseconds.

A series of hardware and software mitigations have been proposed for preventing these types of bypass techniques. The hardware mitigations include changing the BTB addressing mechanism to prevent exploitable collisions in the BTB, and using different indexing functions for user and kernel-level code.

Advertisement. Scroll to continue reading.

Software countermeasures are more limited, but experts believe the use of finer-grained ASLR schemes that can randomize code at the level of functions, basic blocks and instructions could make attacks more difficult to carry out.

Related Reading: Researchers Use Disk Cleanup to Bypass UAC on Windows 10

Related Reading: Researchers Leverage RKP Module to Bypass Samsung KNOX

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.