Address Space Layout Randomization was a champion hardening technology introduced in most major desktop and mobile operating systems as a mitigation against memory-based code-execution attacks.
Bypassing ASLR, however, has become somewhat of a parlor game for attackers and white-hat researchers, with numerous circumventions introduced across platforms in recent years.
Another circumvention surfaced this week in a paper called “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR,” written by Dmitry Evtyushkin and Dmitry Ponomarev of the State University of New York, and Nael Abu-Ghazaleh of the University of California Riverside. The computer scientists and engineers devised a side-channel attack carried out against Intel’s Haswell processor that recovers kernel ASLR offsets via a weakness in the branch target buffer (BTB) caching feature that’s part of most processor.
By knowing the offsets, an attacker can negate their randomization provided by ASLR in virtual memory and learn the address space of code objects and accurately predict where to direct an attack against the system.
“Our attack exploits the observation that an adversary can create BTB collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf,” the researches wrote. “These collisions, in turn, can impact the timing of the attacker’s code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel.”
The attack, demonstrated using an Intel Haswell processor, reliably recovered kernel ASLR in 60 milliseconds, the researchers said.
The key, the paper says, is identifying collisions in the branch target buffer. The researchers describe two types of BTB collisions they were able to leverage, one that bypasses kernel-level ASLR using a collision between a user-level branch and a kernel-level branch, and another between two user-level branches.
“The collisions can be easily detected by the attacker because they impact the timing of the attacker-controlled code,” the researchers wrote. “Identifying the BTB collisions allows the attacker to determine the exact locations of known branch instructions in the code segment of the kernel or of the victim process, thus disclosing the ASLR offset.”
The BTB, also known as the branch target predictor, is a processor feature that predicts where in memory instructions will be executed; the attacks described in the paper were carried out on a Linux system running a Haswell CPU.
The paper also describes software- and hardware-based mitigations that suppress the side channel in this attack, or lessens how vulnerable ASLR is to the attack. For example, one software mitigation would be fine-grained ASLR schemes used to randomize code at a granular level in functions, blocks or instructions. This drives up the cost of the attack, the paper says. On the hardware side, the paper suggests changing a BTB addressing mechanism by using a full virtual address to access the BTB. The paper suggests this would prevent exploitable collisions.