conference logo

Playlist "34C3: TUWAT"

ASLR on the line

brainsmoke

Address Space Layout Randomization (ASLR) is fundamentally broken on modern hardware due to a side-channel attack on the Memory management unit, allowing memory addresses to be leaked from JavaScript. This talk will show how.

Address space layout randomization (ASLR) has often been sold as an
important first line of defense against memory corruption attacks
and a building block for many modern countermeasures. Existing
attacks against ASLR rely on software vulnerabilities and/or on
repeated (and detectable) memory probing.

In this talk, we show that neither is a hard requirement
and that ASLR is fundamentally insecure on modern cache-
based architectures, making ASLR and caching conflicting
requirements (ASLR xor Cache, or simply AnC). To support
this claim, we describe a new EVICT+TIME cache attack
on the virtual address translation performed by the memory
management unit (MMU) of modern processors. Our AnC attack
relies on the property that the MMU's page-table walks result
in caching page-table pages in the shared last-level cache (LLC).

As a result, an attacker can derandomize virtual addresses of a
victim's code and data by locating the cache lines that store the
page-table entries used for address translation.
Relying only on basic memory accesses allows AnC to be
implemented in JavaScript without any specific instructions or
software features. We show our JavaScript implementation can
break code and heap ASLR in two major browsers running on
the latest Linux operating system with 28 bits of entropy in 150
seconds. We further verify that the AnC attack is applicable to
every modern architecture that we tried, including Intel, ARM
and AMD. Mitigating this attack without naively disabling caches
is hard, since it targets the low-level operations of the MMU.
We conclude that ASLR is fundamentally flawed in sandboxed
environments such as JavaScript and future defenses should not
rely on randomized virtual addresses as a building block.