Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Flaw in Intel CPUs could allow to bypass ASLR defense

A flaw in Intel chips could be exploited to launch “Side channel” attack allowing attackers bypass protection mechanism known as ASLR. A vulnerability in the Intel’s Haswell CPUs can be exploited to bypass the anti-exploitation technology address space layout randomization (ASLR) that in implemented by all the principal operating systems. The ASLR is a security mechanism […]

Flaw in Intel CPUs could allow to bypass ASLR defense

A flaw in Intel chips could be exploited to launch “Side channel” attack allowing attackers bypass protection mechanism known as ASLR.

A vulnerability in the Intel’s Haswell CPUs can be exploited to bypass the anti-exploitation technology address space layout randomization (ASLR) that in implemented by all the principal operating systems.

The ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.

The ASLR is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability.

Three three researchers from the State University of New York at Binghamton and the University of California in Riverside have devised a method to exploit the flaw. The technique was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.

The researchers exploited the branch target buffer (BTB) to leak ASLR addresses.

The BTB is a caching mechanism used by the CPU’s branch target predictor to optimize the performance, the trio has discovered a way to trigger BTB collisions between different user processes or processes and the kernel.

“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle.” states the paper published by the experts. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”

In order to create a BTB-based side-channel, it is necessary that three conditions are satisfied.

  1. One application has to fill a BTB entry by executing a branch instruction.
  2. The execution time of another application running on the same core must be affected by the state of the BTB. Thi happens when both applications use the same BTB entry.
  3. The second application must be able to detect the impact on its execution by performing time measurements.

“We call the BTB collisions created between two processes executing in the same protection domain (e.g. two user-level processes) as Same-Domain Collisions (SDC).” continues the paper.

ASLR intel-flaw

The researchers were able to successfully run the attack on a computer equipped with an Intel Haswell microarchitecture CPU and running a Linux kernel version 4.5.

The attackers were able to recover the kernel ASLR using BTB collisions in around 60 milliseconds.

The three researchers described software and hardware-based mitigations to avoid recovering of the that could prevent BTB-based side-channel attacks in the future or harden current ASLR implementations.

BTB side channel attacks are not a novelty, however, in order to bypass ASLR exploits often leverage on a second memory disclosure vulnerability present in the targeted OS or application. The method presented by the researcher is very interesting because attackers don’t need to exploit another flaw to carry on the attack.

Intel did not provide a comment to the attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ASLR, hacking)