For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.
Now, researchers have devised an attack that could spell the end of ASLR as the world knows it now. The attack uses simple JavaScript code to identify the memory addresses where system and application components are loaded. When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides. The technique, which exploits what's known as a side channel in the memory cache of all widely used modern CPUs, is described in a research paper published on Wednesday. The researchers have dubbed the technique ASLR Cache or AnC for short."Fundamentally insecure"
The researchers said the side channel attack is much more damaging than previous ASLR bypasses, because it exploits a micro-architectural property of the CPU's that's independent of any operating system or application running on it. Whereas heap spraying and other forms of ASLR bypass can often be mitigated by software tweaks, there isn't much that can stop or lessen the effects of the JavaScript, which targets a CPU's MMU, or memory management unit. That's because CPU caching behavior and strong address space randomization are mutually exclusive. (Apple, however, recently hardened its Safari browser to partially mitigate such attacks. It's also possible to prevent JavaScript from running in a browser, but such blocking often severely degrades a site's usability.)
The researchers wrote:
In this paper, we show that the problem is much more serious and that ASLR is fundamentally insecure on modern cache-based architectures. Specifically, we show that it is possible to derandomize ASLR completely from JavaScript, without resorting to esoteric operating system or application features. Unlike all previous approaches, we do not abuse weaknesses in the software (that are relatively easy to fix). Instead, our attack builds on hardware behavior that is central to efficient code execution: the fast translation of virtual to physical addresses in the MMU by means of page tables. As a result, all fixes to our attacks (e.g., naively disabling caching) are likely too costly in performance to be practical. To our knowledge, this is the first attack that side-channels the MMU and also the very first cache attack that targets a victim hardware rather than software component.
The researchers went on to combine their AnC JavaScript with attack code that exploits CVE-2013-0753, a now-patched use-after-free vulnerability in Firefox. Normally, ASLR protections in the 64-bit version of the browser require a separate information-disclosure exploit to achieve code execution. Using AnC, however, the researchers were able to mount an end-to-end attack that completely hijacked the control flow without any such information-disclosure exploit. Below is a video of the technique:
AnC works by using what's known as an EVICT+TIME cache attack that detects which memory locations are accessed by a CPU's MMU. The researchers identified 22 microarchitectures from Intel, Advanced Micro Devices, and ARM that were vulnerable. They went on to say they have yet to test an architecture that didn't provide the MMU signal necessary to exploit the side channel. The vulnerabilities are indexed as CVE-2017-5925 as they apply to Intel processors, CVE-2017-5926 for AMD processors, CVE-2017-5927 for ARM processors, and CVE-2017-5928 for a timing issue affecting multiple browsers. The paper was written by Ben Gras, Keveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida of the VUsec systems security group at Vrije Universiteit Amsterdam. They have published this resource page with additional information about the technique.
Given how crucial caching is to the performance of modern CPUs, the researchers say architectural fixes are likely to be too costly to be feasible. And even if hardware mitigations are possible—say, by creating a separate cache for page tables—the researchers warn that the vulnerability may resurface in software. They conclude their findings with a recommendation that's sure to get the attention of software developers everywhere:
"We hence recommend ASLR to no longer be trusted as a first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."
reader comments
128