Address Space Layout Randomization (ASLR) is fundamentally broken on modern hardware due to a side-channel attack on the Memory management unit, allowing memory addresses to be leaked from JavaScript. This talk will show how.
Address space layout randomization (ASLR) has often been sold as an
important first line of defense against memory corruption attacks
and a building block for many modern countermeasures. Existing
attacks against ASLR rely on software vulnerabilities and/or on
repeated (and detectable) memory probing.
In this talk, we show that neither is a hard requirement
and that ASLR is fundamentally insecure on modern cache-
based architectures, making ASLR and caching conflicting
requirements (ASLR xor Cache, or simply AnC). To support
this claim, we describe a new EVICT+TIME cache attack
on the virtual address translation performed by the memory
management unit (MMU) of modern processors. Our AnC attack
relies on the property that the MMU’s page-table walks result
in caching page-table pages in the shared last-level cache (LLC).
As a result, an attacker can derandomize virtual addresses of a
victim’s code and data by locating the cache lines that store the
page-table entries used for address translation.
Relying only on basic memory accesses allows AnC to be
implemented in JavaScript without any specific instructions or
software features. We show our JavaScript implementation can
break code and heap ASLR in two major browsers running on
the latest Linux operating system with 28 bits of entropy in 150
seconds. We further verify that the AnC attack is applicable to
every modern architecture that we tried, including Intel, ARM
and AMD. Mitigating this attack without naively disabling caches
is hard, since it targets the low-level operations of the MMU.
We conclude that ASLR is fundamentally flawed in sandboxed
environments such as JavaScript and future defenses should not
rely on randomized virtual addresses as a building block.
yeah, idk if all the details on this are out yet, but its going to be extra megabad mainly for anyone that runs any kind of virtual machines for multiple customers and needs to ensure security.
It may also be bad for web browsers, but the performance penalty there will likely be negligible, even if ~30%.
I bet ryzen and TR users are feeling extra awesome right now.
This is very bad. Reading into it and studying computer science at the same time, I even understand the fundamentals of the issue.
The above paragraph is just to avoid simply saying: This is very bad!
At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.
As far as the public knows, this specific problem has to do with the CPU “pre-fetching” instructions and executing them before performing security checks on those instructions.
I’m going to be livid if I feel a performance impact after the update. Bad news doesn’t even begin to explain this. It’s outrageous and downright unacceptable.