Researchers have found a feature in the Intel Haswell CPUs that can be abused to reliably bypass a key security protection built into just about every major operating system.

According to a recent paper published by three researchers from State University of New York at Binghamton and the University of California in Riverside, the flaw works against a specific security mechanism called ASLR, short for “address space layout randomization.”

ASLR is used by operating systems to randomize the locations in computer memory where applications store specific chunks of code, making it difficult for attackers to inject their exploit shellcode. This limits the damage of an arbitrary code execution to a simple computer crash, rather than allowing a hacker to assume control.

However, a vulnerability in certain Intel processors that allows this protection to be bypassed could make malware attacks much more potent.

The researchers demonstrated the technique on a computer equipped with an Intel Haswell chip and running a recent version of Linux. They were able to exploit a flaw in the branch target buffer (BTB), a caching mechanism used by the CPU’s branch target predictor, that allowed them to identify the memory locations where specific chunks of code would be stored.

“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle,” the researchers explain in their paper. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”

The researchers claim their BTB-based side-channel attacks can reliably recover kernel ASLR in around 60 milliseconds.

The research paper also proposes a number of hardware and software approaches to mitigate the likelihood of attack. You can find details of the exploit in the paper titled “Jump Over ASLR: Attacking the Branch Predictor to Bypass ASLR” that was presented yesterday at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.