A FLAW IN Intel Haswell CPUs could be abused by hackers to circumvent a security mechanism intended to prevent stack overflows and arbitrary code execution, according to researchers at the universities of Binghamton and California.
The feature, called address space layout randomisation (ASLR), randomises memory addresses used by key processes to thwart arbitrary code execution attacks. The idea is that attackers won't know where to inject exploit shellcode and can't therefore craft malware accordingly.
But the researchers claimed in a paper presented at this week's IEEE/ACM International Symposium on Microarchitecture in Taipei that ASLR can be "broken" by using the branch target buffer (BTB), a caching mechanism used by the CPU, to cause it to leak ASLR memory addresses.
"The BTB stores target addresses of recently executed branch instructions so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle," said the researchers in the paper titled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR (PDF).
"Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible."
The researchers demonstrated the attack on an Intel Haswell-based PC running a "recent version" of Linux, although they pointed out that ASLR features are also deployed in Windows, Android and Apple's iOS and macOS.
It took just 60 milliseconds to expose the kernel ASLR using this technique. "ASLR implementations across different operating systems differ by the amount of entropy used and by the frequency at which memory addresses are randomised," they explained.
"These characteristics directly determine the resilience of ASLR implementations to possible attacks. 32-bit operating systems have a much smaller addressable space, limiting the amount of space that can be dedicated to randomisation, making it possible to build fast brute-force attacks.
"The randomisation frequency can range from a single randomisation at boot or compile time to dynamic randomisation during program execution. More frequent re-randomisation reduces the probability of a successful attack."
This is not the first attack on ASLR demonstrated by security researchers, but they typically require the use of additional vulnerabilities.
The paper also highlighted some potential mitigations against ASLR attacks, such as more comprehensive randomisation and changes to the way in which the BTB addressing mechanism works.
The research was the work of Dmitry Evtyushkin and Dmitry Ponomarev at the University of Binghamton and Nael Abu-Ghazaleh at the University of California.
Freelance hub could be getting the LinkedIn treatment
Alongside cheaper 'Lockhart' console, apparently
UK startup and NHS partner urges a bit of common sense is needed
The best Surface Pro yet but not much of an upgrade