A vulnerability in the Intel’s Haswell CPUs can be exploited to bypass the anti-exploitation technology address space layout randomization (ASLR) that in implemented by all the principal operating systems.
The ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.
The ASLR is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability.
Three three researchers from the State University of New York at Binghamton and the University of California in Riverside have devised a method to exploit the flaw. The technique was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.
The researchers exploited the branch target buffer (BTB) to leak ASLR addresses.
The BTB is a caching mechanism used by the CPU’s branch target predictor to optimize the performance, the trio has discovered a way to trigger BTB collisions between different user processes or processes and the kernel.
“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle.” states the paper published by the experts. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”
In order to create a BTB-based side-channel, it is necessary that three conditions are satisfied.
“We call the BTB collisions created between two processes executing in the same protection domain (e.g. two user-level processes) as Same-Domain Collisions (SDC).” continues the paper.
The researchers were able to successfully run the attack on a computer equipped with an Intel Haswell microarchitecture CPU and running a Linux kernel version 4.5.
The attackers were able to recover the kernel ASLR using BTB collisions in around 60 milliseconds.
The three researchers described software and hardware-based mitigations to avoid recovering of the that could prevent BTB-based side-channel attacks in the future or harden current ASLR implementations.
BTB side channel attacks are not a novelty, however, in order to bypass ASLR exploits often leverage on a second memory disclosure vulnerability present in the targeted OS or application. The method presented by the researcher is very interesting because attackers don’t need to exploit another flaw to carry on the attack.
Intel did not provide a comment to the attack.
(Security Affairs – ASLR, hacking)