Pierluigi Paganini October 20, 2016

A flaw in Intel chips could be exploited to launch “Side channel” attack allowing attackers bypass protection mechanism known as ASLR.

A vulnerability in the Intel’s Haswell CPUs can be exploited to bypass the anti-exploitation technology address space layout randomization (ASLR) that in implemented by all the principal operating systems.

The ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.

The ASLR is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability.

Three three researchers from the State University of New York at Binghamton and the University of California in Riverside have devised a method to exploit the flaw. The technique was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.

The researchers exploited the branch target buffer (BTB) to leak ASLR addresses.

The BTB is a caching mechanism used by the CPU’s branch target predictor to optimize the performance, the trio has discovered a way to trigger BTB collisions between different user processes or processes and the kernel.

“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle.” states the paper published by the experts. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”

In order to create a BTB-based side-channel, it is necessary that three conditions are satisfied.

1. One application has to fill a BTB entry by executing a branch instruction.
2. The execution time of another application running on the same core must be affected by the state of the BTB. Thi happens when both applications use the same BTB entry.
3. The second application must be able to detect the impact on its execution by performing time measurements.

“We call the BTB collisions created between two processes executing in the same protection domain (e.g. two user-level processes) as Same-Domain Collisions (SDC).” continues the paper.

The researchers were able to successfully run the attack on a computer equipped with an Intel Haswell microarchitecture CPU and running a Linux kernel version 4.5.

The attackers were able to recover the kernel ASLR using BTB collisions in around 60 milliseconds.

The three researchers described software and hardware-based mitigations to avoid recovering of the that could prevent BTB-based side-channel attacks in the future or harden current ASLR implementations.

BTB side channel attacks are not a novelty, however, in order to bypass ASLR exploits often leverage on a second memory disclosure vulnerability present in the targeted OS or application. The method presented by the researcher is very interesting because attackers don’t need to exploit another flaw to carry on the attack.

Intel did not provide a comment to the attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ASLR, hacking)