WIRED reports a team of researchers based at the Free University of Amsterdam discovered the technique by exploiting low-level areas of processor architectures. The attack can be completed from a web browser, allowing hackers to bypass a critical security feature using a specially constructed webpage. This could be distributed via conventional phishing emails.
Memory Management Units
The exploit focuses on the Memory Management Units (MMU) inside processors. As chip architectures developed, manufacturers implemented mechanisms designed to stop attackers executing arbitrary code. One of the systems used is called ASLR, short for Address Space Layout Randomisation.
ASLR randomises where information is stored inside memory. The running program never gets to know where its data is being kept, preventing hackers from hijacking regions of RAM. Even if they successfully manage to execute code, it’s impossible to ascertain where exactly it’s running from. Unfortunately, the research team found it’s possible to side-step ASLR’s protections, taking us “back to the ’90s in terms of security.” When a program stores something in memory, the processor assigns it a random location and then stores the address in the MMU. This giant “address book” of memory locations is kept in the processor’s cache.
Measuring MMU performance
This is where the problems start. The cache isn’t exclusive to the MMU. It stores data that’s being frequently used by the CPU for quick reference, improving the chip’s efficiency. Programs can store information in the cache, placing data near to the MMU. More importantly, it’s possible to work out how fast the MMU is operating.
The researchers realised that a program could determine its memory addresses by overwhelming the processor cache. The attack script continually writes to the cache until it observes the speed of the memory access has been reduced.
When this occurs, it’s a sign that the data just deleted wasn’t part of the MMU’s “address book.” The MMU has to momentarily retrieve information from the system memory rather than the cache, incurring a performance delay.
Bypassing randomisation
By continually monitoring how long the MMU takes to respond, the attack code can begin to work out its own location in RAM. At this point, ASLR has been bypassed and the program can begin to gain control of memory.
The attack has been likened to an old fashioned stethoscope robbery. As listening to the cogs in a safe can reveal its code, watching for MMU slow-downs can hint at memory addresses.
When combined with other memory hijacking techniques, this style of attack could enable highly sophisticated exploits of target machines. The researchers warned that it could open the door to a new wave of hacks that weren’t previously feasible.
“Bugs are everywhere, but ASLR is a mitigation that makes bugs hard to exploit,” Ben Gras, one of the researchers who developed the technique,” said to WIRED. “This technique makes bugs that weren’t exploitable exploitable again.”
Significant implications
The technique can be used against processors manufactured by a range of companies, including Intel, AMD and Samsung. However, the industry has shown little interest in the problem, with Intel claiming it “doesn’t represent a significant change in the security” of its chips.
The CPU companies point out that another memory technique must also be used to gain control of the computer. However, failing to properly respond to this discovery could give rise to a new breed of online malware campaign, where malicious adverts can weave their way into system memory.
