A Chip Flaw Strips Away a Key Hacking Safeguard for Millions of Devices | WIRED

https://www.wired.com/2017/02/flaw-millions-chips-strips-away-key-hacking-defense-software-cant-fully-fix/?mbid=social_fb

ASLR attack makes security worse on many devices.

3 Comments

  1. Tomi Engdahl says:

    ASLR^CACHE Attack Defeats Address Space Layout Randomization
    http://hackaday.com/2017/02/15/aslrcache-attack-defeats-address-space-layout-randomization/

    Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with the practical implementation is really important mainly because of two factors: what it means for ASLR to be broken and how the MMU sidechannel attack works inside the processor.

    Breaking ASLR is a huge step towards simplifying an exploit and making it more reliable. Being able to do it from within JavaScript means that an exploit using this technique can defeat web browser ASLR protection running JavaScript, the most common configuration for Internet users.

    AnC
    Address Space Layout Randomization
    https://www.vusec.net/projects/anc/

    Address space layout randomization or ASLR in short is a first line of defense against attackers targeting Internet users. ASLR randomizes the location of an application’s code and data in the virtual address space in order to make it difficult for attackers to leak or manipulate the data or reuse the code in order to compromise the application. Combined with the no execution bit for data enforced by all modern processors, ASLR makes it harder to compromise systems.

    In the past, researchers have shown that ASLR can be broken in some instances. For example, a local attacker with native code execution can break kernel-level ASLR. In more serious environments such as the browser, however, ASLR is still considered a good defense.

    Last year, our award-winning attack showed that a JavaScript-enabled attacker can break ASLR in Microsoft Edge using a side channel introduced by memory deduplication. Microsoft quickly moved to disable memory deduplication to preserve the security of its users. In this project, we show that the limitations of ASLR is fundamental to how modern processors manage memory and build an attack that can fully derandomize ASLR from JavaScript without relying on any software feature.

    Reply
  2. Tomi Engdahl says:

    All the details can be consulted in the research team’s paper.
    http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf

    Meanwhile, they left us some videos of demo attacks on the ASLR. The fastest one took only 25 seconds:

    Fast version of AnC
    https://www.youtube.com/watch?v=aILISvZlBAU

    This video is to demonstrate how fast an AnC computation can be.

    Reply
  3. Tomi Engdahl says:

    JavaScript Attack Breaks ASLR On 22 CPU Architectures
    https://developers.slashdot.org/story/17/02/15/2149235/javascript-attack-breaks-aslr-on-22-cpu-architectures?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others. The attack, christened ASLRCache, or AnC, focuses on the memory management unit (MMU)

    JavaScript Attack Breaks ASLR on 22 CPU Architectures
    https://www.bleepingcomputer.com/news/security/javascript-attack-breaks-aslr-on-22-cpu-architectures/

    Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 processor micro-architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others.

    The attack, christened ASLR⊕Cache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU micro-architectures, which is tasked with improving performance for cache management operations.

    “We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU,” researchers said.

    “For example, on the x86_64 architecture, our attack can find the offsets that are accessed by the MMU for each of the four-page table pages. The offset within each page breaks nine bits of entropy so even a perfect ASLR implementation with 36 bits of entropy is not safe.”

    In layman’s terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer’s memory, which he could then use to launch more complex exploits and escalate access to the entire OS.

    AnC attacks work via Chrome and Firefox on 22 CPU micro-architectures

    Researchers said they successfully tested AnC JavaScript attacks via Chrome and Firefox on 22 different CPU micro-architectures, even despite several protections built within those browsers, such as broken JavaScript timers.

    Issues with AnC attacks are tracked via several CVE identifiers.

    CVE-2017-5925 is assigned to track the developments for Intel processors
    CVE-2017-5926 is assigned to track the developments for AMD processors
    CVE-2017-5927 is assigned to track the developments for ARM processors
    CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*