Researchers from two universities in the United States have disclosed a new method for bypassing Address Space Layout Randomization (ASLR) by exploiting a hardware vulnerability.
ASLR is a technique designed to mitigate memory corruption attacks, such as stack and heap buffer overflows, by randomly arranging the address space positions of key data areas. ASLR has been used in many operating systems, including Linux, iOS, OS X, Windows and Android.
Over the past years, researchers have disclosed several ASLR bypass methods and such techniques have also been spotted in several sophisticated cyber espionage operations.
Now, a team of researchers from the State University of New York at Binghamton and the University of California, Riverside, claim to have found a new ASLR bypass technique that involves a side-channel attack on the branch target buffer (BTB), a cache-like component used in CPUs for branch prediction.
According to experts, an attacker can create BTB collisions between two user-level processes or between a kernel and a user process in a controlled and robust manner.
“The collisions can be easily detected by the attacker because they impact the timing of the attacker-controlled code. Identifying the BTB collisions allows the attacker to determine the exact locations of known branch instructions in the code segment of the kernel or of the victim process, thus disclosing the ASLR offset,” researchers explained in their paper.
The experts demonstrated the attack method on an Intel Haswell CPU and a recent version of the Linux kernel, but they believe the method can also be applied to Windows, Android and even virtualization systems such as KVM (Kernel-based Virtual Machine). In their experiments, they managed to reliably recover the kernel-level ASLR in roughly 60 milliseconds.
A series of hardware and software mitigations have been proposed for preventing these types of bypass techniques. The hardware mitigations include changing the BTB addressing mechanism to prevent exploitable collisions in the BTB, and using different indexing functions for user and kernel-level code.
Software countermeasures are more limited, but experts believe the use of finer-grained ASLR schemes that can randomize code at the level of functions, basic blocks and instructions could make attacks more difficult to carry out.
Related Reading: Researchers Use Disk Cleanup to Bypass UAC on Windows 10
Related Reading: Researchers Leverage RKP Module to Bypass Samsung KNOX