ASLR on the line Practical cache attacks on the MMU

brainsmoke

44 min

44 min 2017-12-28

2017-12-28 2017-12-29

2017-12-29 2134

2134 Fahrplan

Playlists: '34c3' videos starting here

Address Space Layout Randomization (ASLR) is fundamentally broken on modern hardware due to a side-channel attack on the Memory management unit, allowing memory addresses to be leaked from JavaScript. This talk will show how.

Address space layout randomization (ASLR) has often been sold as an

important first line of defense against memory corruption attacks

and a building block for many modern countermeasures. Existing

attacks against ASLR rely on software vulnerabilities and/or on

repeated (and detectable) memory probing.

In this talk, we show that neither is a hard requirement

and that ASLR is fundamentally insecure on modern cache-

based architectures, making ASLR and caching conflicting

requirements (ASLR xor Cache, or simply AnC). To support

this claim, we describe a new EVICT+TIME cache attack

on the virtual address translation performed by the memory

management unit (MMU) of modern processors. Our AnC attack

relies on the property that the MMU's page-table walks result

in caching page-table pages in the shared last-level cache (LLC).

As a result, an attacker can derandomize virtual addresses of a

victim's code and data by locating the cache lines that store the

page-table entries used for address translation.

Relying only on basic memory accesses allows AnC to be

implemented in JavaScript without any specific instructions or

software features. We show our JavaScript implementation can

break code and heap ASLR in two major browsers running on

the latest Linux operating system with 28 bits of entropy in 150

seconds. We further verify that the AnC attack is applicable to

every modern architecture that we tried, including Intel, ARM

and AMD. Mitigating this attack without naively disabling caches

is hard, since it targets the low-level operations of the MMU.

We conclude that ASLR is fundamentally flawed in sandboxed

environments such as JavaScript and future defenses should not

rely on randomized virtual addresses as a building block.

Download

Related

Embed Share:







Tags