Authored by Bharti Amlani
Recently, researchers have found that the branch target buffer mechanism in Intel Haswell CPUcan be used to leak ASLR memory address. This feature can be easily abused to destroy an anti-exploitation technology that exists in all major operating systems.
All this comes into light when the three researchers from the State University of New York at Binghamton and the University of California in Riverside presented their newly developed technology that can be applied in bypass ASLR (address space layout randomization) at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.
First, let know that what actually ASLP is? It is basically a security mechanism used by the operating system to randomize the memory address used by key areas of processes, so that attackers don’t know where to inject their exploit shellcode.
The aim behind using ASLR is to provide protection against corruption bugs (like stack and heap overflows), from arbitrary code execution as oppose to crushes. Once such a vulnerability is exploited, the malicious code needs to be injected at a position in memory where the target process or the OS kernel itself will execute as part of normal operation.
The three researchers further explain that BTB or branch target buffer that is a caching mechanism used by the CPU’s branch target predictor, can help the attackers to access ASLR addresses. This is a situation that triggers BTB collisions between different user processes and the kernel. A point to remember: the branch prediction mechanism set up in CPUs mainly aims to optimize the performance.
“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle,” the researchers explain in their paper. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”
Along with the presentation of the paper, the three researchers gave the live demonstration of of their BTB-based ASLR bypass on a computer equipped with an Intel Haswell microarchitecture CPU and running a recent Linux kernel (version 4.5). For a great surprise, their attack could reliably recover kernel ASLR using BTB collisions in around 60 milliseconds.
In their paper, the researchers proposed some mitigations based on both software and hardware so that the security threats or BTB based side channel attacks could be prevented in the future as well as the current ASLR implementations could be made difficult.
In order to bypass the ASLR barriers, attackers have some other methods also, but for this purpose, they further need the memory leak vulnerabilities and then they have to chain them together with the original memory corruption flaw. It is the amazing consequence of technology advancement that one side because of improved software security arrangements, most remote code execution attacks today have to manage to go through the complex chained exploits and on the other hand, they have some really working shortcuts to successfully accomplish their tasks.
Though, Intel has not made any immediately responding to the situation, but it is sure that they are going to take it seriously and will soon come up with a solution or security assurance.