The researchers behind the discovery developed a bypass for Intel’s Address Space Layout Randomization (ASLR) technology on its Haswell series of processors. As Ars Technica reports, the flaw was demonstrated at the IEEE/ACM International Symposium on Microarchitecture in Taipei, Taiwan, on Tuesday.
ASLR is a processor-level defence against cyberattacks that attempt to install malware on a computer by exploiting operating system vulnerabilities. When you launch a program on a computer, it’s loaded into memory. Traditionally, programs were loaded sequentially, creating predictable patterns that attackers could use to identify running programs and extract data from them.
ASLR randomises the locations where code is stored in memory. This prevents malware from working out where data is stored as there is no apparent logic to the contents of any given memory chip. The effect of any successful exploit can be limited to a software crash, as opposed to control of the entire system.
The researchers discovered ASLR isn’t infallible though. A flaw in Intel’s processors makes it possible to bypass the technology. With ASLR effectively turned off, malware becomes much more powerful. Attacks that would usually be stopped by the technology can incur serious consequences. The malware that would usually cause a crash could cause a total system compromise.
The flaw was found in the CPU’s branch predictor, a system that speeds up memory operations by anticipating where soon-to-be-executed instructions are located. In more relatable terms, the branch predictor is able to realise that if a “folder” of addresses is accessed then the “files” within are likely to be retrieved in the near future. It stores references to these additional memory locations ahead of time, speeding up subsequent operations.
The researchers’ program is able to use the data stored in the branch predictor’s tables to determine the memory addresses where chunks of code are loaded. By causing collisions in the branch predictor that impact the timing of the attacking program, the malware can work out the locations of known branch instructions.
Once that information has been obtained, traditional memory modification techniques can be used to inject malicious code into the target program and compromise the system. This can be achieved in “about 60 milliseconds” on real Haswell processors running a recent version of Linux. The attack is also feasible on other operating systems.
The researchers said the flaw exemplifies the need for chip manufacturers to take security into account when developing new designs. With ASLR disabled, an attacker could gain control of a victim app or an entire computer. Intel has not publicly commented on the findings. The company told Ars Technica it is “investigating” the research paper though. It is not clear whether it will be able to publish a patch for the issue.
