A team of scientists from two US universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research.

ASLR is a security feature included with all major operating systems today, being part of Windows, Linux, macOS, iOS, and Android for many years.

The feature works by taking data objects that are sent to the CPU for processing and assigning them a random address space where they execute inside the computer's memory (RAM).

Because most "takeover" vulnerabilities rely on corrupting memory data via buffer overflows, an attacker must know how to craft his malicious exploit in order to trick the computer into executing malicious code. To do this, he has to know the address space where an application executes code inside the computer's memory. This can be determined quite easily by analyzing the app's source code.

This is where ASLR comes in, scrambling memory addresses and keeping an index. As such, if ASLR works properly, malware or exploit code executes in the wrong memory locations, leaving the computer unharmed.

Flaw resides in BTB component

In a paper released this week, a team of computer science experts says they've identified a problem with BTB, a cache system which keeps track of memory locations where previous data has been executed. CPUs use BTBs to speed up operations, and they work just like a browser cache speeds up commonly visited web pages.

Researchers say that BTB is vulnerable to collision attacks, a term used to describe attacks that bombard the BTB with random data until they find the same data already stored in the buffer.

This technique allows the researchers to recover data from the CPU's kernel that contains ASLR index tables, letting attackers know where a specific app's code executes so that they can fine-tune their exploits.

ASLR bypass attack takes only 60 milliseconds

"The described attack takes a very short time: only 60 milliseconds are needed to collect the required number of samples," the researchers explained in their paper.

A special software program is needed to run the attack, which they only tested on a Linux machine with an Intel Haswell CPU. Nevertheless, researchers say the same attack should be, in theory, successful against any other OS, and even KVMs (Kernel Virtual Machines), which are bare-bone operating systems deployed with cloud services and hosting providers.

The three researchers that worked on the paper proposed a series of hardware and software-based mitigations that can mitigate these types of attacks. The easiest solution is the software-based one that asks OS vendors to implement ASLR protections at the level of code functions and not data objects.

The research paper, titled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, has been authored by Dmitry Evtyushkin and Dmitry Ponomarev from the State University of New York at Binghamton, and Nael Abu-Ghazaleh from the University of California, Riverside.