Bypassing ALLR Protection on 22 CPU Architectures (Why This Is Good News!)

A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures by Swati Khandelwal.

From the post:

Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update.

The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.

ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.

In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device’s memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.

In short, for attackers, it’s like an attempt to burglarize a house blindfolded.

But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.

The attack, dubbed ASLR Cache or AnC, is particularly serious because it uses simple JavaScript code to identify the base addresses in memory where system and application components are executed.

So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC’s memory.

See Swati’s post for two videos demonstrating this unpatchable security flaw in action.

For a more formal explanation of the flaw,

ASLR on the Line: Practical Cache Attacks on the MMU by Ben Gras, et al.

Abstract:

Address space layout randomization (ASLR) is an important first line of defense against memory corruption attacks and a building block for many modern countermeasures. Existing attacks against ASLR rely on software vulnerabilities and/or on repeated (and detectable) memory probing.

In this paper, we show that neither is a hard requirement and that ASLR is fundamentally insecure on modern cachebased architectures, making ASLR and caching conflicting requirements (ASLR⊕Cache, or simply AnC). To support this claim, we describe a new EVICT+TIME cache attack on the virtual address translation performed by the memory management unit (MMU) of modern processors. Our AnC attack relies on the property that the MMU’s page-table walks result in caching page-table pages in the shared last-level cache (LLC). As a result, an attacker can derandomize virtual addresses of a victim’s code and data by locating the cache lines that store the page-table entries used for address translation.

Relying only on basic memory accesses allows AnC to be implemented in JavaScript without any specific instructions or software features. We show our JavaScript implementation can break code and heap ASLR in two major browsers running on the latest Linux operating system with 28 bits of entropy in 150
seconds. We further verify that the AnC attack is applicable to every modern architecture that we tried, including Intel, ARM and AMD. Mitigating this attack without naively disabling caches is hard, since it targets the low-level operations of the MMU. We conclude that ASLR is fundamentally flawed in sandboxed environments such as JavaScript and future defenses should not rely on randomized virtual addresses as a building block.

and,

Reverse Engineering Hardware Page Table Caches Using Side-Channel Attacks on the MMU by Stephan van Schaik, et al.

Abstract:

Recent hardware-based attacks that compromise systems with Rowhammer or bypass address-space layout randomization rely on how the processor’s memory management unit (MMU) interacts with page tables. These attacks often need to reload page tables repeatedly in order to observe changes in the target system’s behavior. To speed up the MMU’s page table lookups, modern processors make use of multiple levels of caches such as translation lookaside buffers (TLBs), special-purpose page table caches and even general data caches. A successful attack needs to flush these caches reliably before accessing page tables. To flush these caches from an unprivileged process, the attacker needs to create specialized memory access patterns based on the internal architecture and size of these caches, as well as on how the caches interact with each other. While information about TLBs and data caches are often reported in processor manuals released by the vendors, there is typically little or no information about the properties of page table caches on
different processors. In this paper, we retrofit a recently proposed EVICT+TIME attack on the MMU to reverse engineer the internal architecture, size and the interaction of these page table caches with other caches in 20 different microarchitectures from Intel, ARM and AMD. We release our findings in the form of a library that provides a convenient interface for flushing these caches as well as automatically reverse engineering page table caches on new architectures.

So, Why Is This Good News?

Everything exists in a context and security flaws are no exception to that rule.

For example, H.J.Res.41 – Providing for congressional disapproval under chapter 8 of title 5, United States Code, of a rule submitted by the Securities and Exchange Commission relating to “Disclosure of Payments by Resource Extraction Issuers” reads in part:


Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Securities and Exchange Commission relating to “Disclosure of Payments by Resource Extraction Issuers” (published at 81 Fed. Reg. 49359 (July 27, 2016)), and such rule shall have no force or effect.
… (emphasis in original)

That may not sound like much until you read Disclosure of Payments by Resource Extraction Issuers, issued by the Security and Exchange Commission (SEC), which reads in part:


SUMMARY:

We are adopting Rule 13q-1 and an amendment to Form SD to implement Section 1504 of the Dodd-Frank Wall Street Reform and Consumer Protection Act relating to the disclosure of payments by resource extraction issuers. Rule 13q-1 was initially adopted by the Commission on August 22, 2012, but it was subsequently vacated by the U.S. District Court for the District of Columbia. Section 1504 of the Dodd-Frank Act added Section 13(q) to the Securities Exchange Act of 1934, which directs the Commission to issue rules requiring resource extraction issuers to include in an annual report information relating to any payment made by the issuer, a subsidiary of the issuer, or an entity under the control of the issuer, to a foreign government or the Federal Government for the purpose of the commercial development of oil, natural gas, or minerals. Section 13(q) requires a resource extraction issuer to provide information about the type and total amount of such payments made for each project related to the commercial development of oil, natural gas, or minerals, and the type and total amount of payments made to each government. In addition, Section 13(q) requires a resource extraction issuer to provide information about those payments in an interactive data format.
… (emphasis in original)

Or as By Alex Guillén says in Trump signs bill killing SEC rule on foreign payments:

President Donald Trump Tuesday signed the first in a series of congressional regulatory rollback bills, revoking an Obama-era regulation that required oil and mining companies to disclose their payments to foreign governments.

The danger posed to global corruption by this SEC rule has passed.

What hasn’t passed is the staffs of foreign governments and resource extraction issuers remain promiscuous web surfers.

Web surfers who will easily fall prey to a JavaScript exploit that bypasses ASLR protection!

Rather than protecting global corruption, H.J.Res 41 increases the incentives for breaching the networks of foreign governments and resource extraction issuers. You may find payment information and other embarrassing and/or incriminating information.

ASLR Cache or AnC gives you another tool for mining the world of the elites.

Rejoice at every new systemic security flaw. The elites have more to hide than youthful indiscretions and records of poor marital fidelity.

Comments are closed.