A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures
Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update.
The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.
ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.
In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.
In short, for attackers, it's like an attempt to burglarize a house blindfolded.
But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.
The attack, dubbed ASLR Cache or AnC, is particularly serious because it uses simple JavaScript code to identify the base addresses in memory where system and application components are executed.
So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC's memory.
Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update.
The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.
ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.
In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.
The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.
ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.
In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.
In short, for attackers, it's like an attempt to burglarize a house blindfolded.
But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.
The attack, dubbed ASLR Cache or AnC, is particularly serious because it uses simple JavaScript code to identify the base addresses in memory where system and application components are executed.
So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC's memory.
Here's How the attack works:
MMU, which is present in desktop, mobile and server chips and tasks to map where a computer stores programs in its memory, constantly checks a directory called a page table to keep track of those addresses.
Devices usually store the page table in the CPU’s cache which makes the chip speedier and more efficient. But this component also shares some of its cache with untrusted applications, including browsers.
The attack exploits the way microprocessors and memory interacts with each other.
Therefore, a piece of javascript code running on a malicious website can also write to that cache (side channel attack), allowing attackers to discover where software components, like libraries and RAM-mapped files, are located in virtual memory.
With these location data in hands, any attacker can read portions of the computer's memory, which they could then use to launch more complex exploits, escalate access to the complete operating system, and hijack a computer system.
The researchers successfully exploited AnC JavaScript attacks via up-to-date Chrome and Firefox web browsers on 22 different CPU micro-architectures in about 90 seconds, even despite ASLR protections built within those browsers, like broken JavaScript timers.
The VUSec research team have published two research papers [1, 2] detailing the AnC attack, along with two video demonstration showing the attack running in a Firefox browser on a 64-bit Linux machine.
In their attack, the researchers combined their AnC JavaScript with attack code that exploits a now-patched use-after-free vulnerability (CVE-2013-0753) in Firefox. Issues with AnC attacks are tracked through several CVE identifiers, including:
- CVE-2017-5925 for Intel processors
- CVE-2017-5926 for AMD processors
- CVE-2017-5927 for ARM processors
- CVE-2017-5928 for a timing issue affecting multiple browsers
VUSec team already notified all the affected chipmakers and software firms, including Intel, AMD, Samsung, Nvidia, Microsoft, Apple, Google, and Mozilla, more than three months ago, but only now went public with their findings.
"The conclusion is that such caching behavior and strong address space randomization are mutually exclusive," the paper concludes. "Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical."
"Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as the first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."
According to the team, the only way you can protect yourself against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome, to block untrusted JavaScript code on web pages from running in the browser.
MMU, which is present in desktop, mobile and server chips and tasks to map where a computer stores programs in its memory, constantly checks a directory called a page table to keep track of those addresses.
Devices usually store the page table in the CPU’s cache which makes the chip speedier and more efficient. But this component also shares some of its cache with untrusted applications, including browsers.
Therefore, a piece of javascript code running on a malicious website can also write to that cache (side channel attack), allowing attackers to discover where software components, like libraries and RAM-mapped files, are located in virtual memory.
With these location data in hands, any attacker can read portions of the computer's memory, which they could then use to launch more complex exploits, escalate access to the complete operating system, and hijack a computer system.
The researchers successfully exploited AnC JavaScript attacks via up-to-date Chrome and Firefox web browsers on 22 different CPU micro-architectures in about 90 seconds, even despite ASLR protections built within those browsers, like broken JavaScript timers.
The VUSec research team have published two research papers [1, 2] detailing the AnC attack, along with two video demonstration showing the attack running in a Firefox browser on a 64-bit Linux machine.
In their attack, the researchers combined their AnC JavaScript with attack code that exploits a now-patched use-after-free vulnerability (CVE-2013-0753) in Firefox. Issues with AnC attacks are tracked through several CVE identifiers, including:
- CVE-2017-5925 for Intel processors
- CVE-2017-5926 for AMD processors
- CVE-2017-5927 for ARM processors
- CVE-2017-5928 for a timing issue affecting multiple browsers
"The conclusion is that such caching behavior and strong address space randomization are mutually exclusive," the paper concludes. "Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical."
"Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as the first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."According to the team, the only way you can protect yourself against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome, to block untrusted JavaScript code on web pages from running in the browser.
Comments