Experts have created a technique that bypasses a critical security protection built into almost every operating system. If left unfixed, it would make malware attacks much more powerful.
Address space layout randomization (ASLR) is a defense against widely used attacks that install malware by using vulnerabilities in an operating system or application. ASLR limits the damage done when random locations in computer memory software load a variety of code, rather than compromising the system. But now, researchers have identified a flaw in Intel chips that allows attackers to actually bypass this protection, resulting in exploits that are much more potent than they otherwise would be.
ASLR is an important defense used by commercial operating systems that prevents an attacker from exploits that rely on the memory layout of the victim. A weakness in the hardware that allows ASLR to be bypassed points out the need for CPU designers to be aware of security issues as they design new processors.
Abu-Ghazaleh and two colleagues from the State University of New York at Binghamton demonstrated the technique on top of a Haswell processor from Intel. By exploiting the flaw in the part of the CPU known as the branch predictor, a small application developed by the researchers identified where the memory locations and chunks of code would be loaded.
The branch predictor contains a “side channel” that discloses the memory locations. A table within the predictor called the “branch target buffer” stores certain locations known as branch addresses. Modern CPUs rely on the branch predictor to speed up operations and speculate whether a branch is taken or not and what address it goes to. The buffers store instructs previous branches to expedite the prediction. The new technique exploits collisions in the branch target buffer table to figure out the addresses where specific codes are located.
There is nothing stopping attackers from using a similar bypass app with an attack code that exploits an OS or application vulnerability. The exploit could then use the disclosed memory location to allow a targeted computer to perform malicious payloads. ASLR implemented by Microsoft Windows and Apple’s OS X are also similarly vulnerable.
As part of the solution, the researchers proposed a number of hardware and software approaches for weakening the attacks.
Source: Ars Technica
Advertisement
Learn more about Electronic Products Magazine
