Report – “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR.”
Being a State University of New York at Binghamton alumnus, I’m quite proud and worried about a report that was recently published by researchers from the school and the University of California at Riverside. The researchers have devised a technique that can bypass important protections that are provided by ASLR. Through a side channel attack, the research showed that attackers could recover the kernel ASLR using BTB collisions in around 60 milliseconds. Big words. What they have shown is that based on how Intel uses its processor architecture, an attacker can neutralize the way ASLR works through a side channel attack. When you understand how ASLR, side channel and Intel processor architecture works, you’ll realize why this is such a beautiful exploit.
What Is ASLR?
ASLR (Address Space Layout Randomization) is an important defense in the fight against malware in applications and operating systems. What it does is takes pieces of the operating system, typically the kernel, and places them in the boot time at unpredictable locations. This is important because the bad guys realized that the kernel itself is executable so if they could find pieces of the kernel and stitch them together, then exploit code could be used to execute malware.
The good guys created ASLR to mitigate against this type of problem. By randomizing the locations in computer memory where software loads specific chunks of code, the bad guys couldn’t bring in their code and use a stitched kernel to run around the stack. The good guys randomized where the kernel chunks go so that blind exploit code would not know where to jump to get their work done. So, ASLR limits the damage of malware to a simple computer crash, rather than a catastrophic system compromise.
Side Channel Attacks
Much of security is designed to protect the main channel of communications through the trinity of protection modes: protecting data at rest (stored), in motion (messages), and in use (being computed or executed). However, side channel attacks are clever ways of observing the state of hardware such as power, radiation, or timing to obtain leaked information from something that you want to keep secret. For example, recently, WindTalker was a side channel attack where researchers guessed the six-digit password that volunteers entered into their phones nine out of 10 times, when given 100 guesses or fewer. The researches did this by deriving a password or PIN from WiFi interference caused by the user’s hand as it moves across the screen. These types of attacks are worrisome because manufacturers can’t protect against the bad guys hacking into a system based on collateral information.
Intel Processors
In the early 1990’s, Intel was on a torrid pace to keep up with processor speeds (see Moore’s Law). With this pressure to perform, Intel architecture became very complicated. To keep pace, Intel employed a process called pipelining which essentially lets different parts of the hardware on the processor carry out different functions needed to process an instruction at the same time. Although instructions are dependent on prior instructions, pipelining helped Intel grow in efficiency by carrying out instructions simultaneously without dependency on results of prior instructions.
One of the problems with pipelining is that sometimes instructions are dependent on previous instructions. If an instruction comes to a fork in the road, the decision could be made with absolute certainty if the previous instructions are completed. However, pipelining doesn’t always allow this. To help with instructions finding the most probabilistic way to move throughout the processor, Intel incorporated branch prediction tables down in the microarchitecture. Branch prediction would let the instruction know that taking one branch would probabilistically be better to complete the instruction than taking another branch. These tables would be deployed on a global scale for a company so that instructions that were specific to a company, team, or employee could be predicted for the processor to run quicker.
The Exploit
The researchers were able to successfully run the attack on a computer equipped with an Intel Haswell microarchitecture CPU and running a Linux kernel version 4.5 (it can also run on Windows and Mac OS). They inserted exploit code to bypass ASLR. The beauty in the exploit is that took advantage of the branch prediction table probabilities. The code would run through the process and learn which way the tables would tell it to go so that this would deobfuscate branch tables which would lead to deobfuscation of the ASLR in the kernel.
The researchers put the exploit code into the machine to learn the branch tables by probing how the exploit code moves around the processor. Through the use of sublet tests, the code indirectly probed the branch tables that are shared with the kernel. With knowledge of where the kernel is through these probes, the researchers were able to deobfuscate the ASLR and render it useless. Since ASLR would be used globally, the bad guys could execute malware on applications and operating systems anywhere the organization is using it!
Conclusion
The bad guys have found a clean way around ASLR and branch prediction tables that if left unfixed would render malware attacks prone or essentially neutralize the way ASLR works. This isn’t Intel’s fault, as old characteristics of technology are being used in modern attacks. However, the ASLR exploit goes to show that modern attacks are complex, incredibly subtle and that no single defense can be used in the ever-evolving security arms race. Intel will surely have to create a hardware enhancement but factors such as cost, complexity, and performance will have to be taken into account. Security is has always been about attacking and defending the main lines of communication through firewalls and other technologies. However, the ASLR exploit is a frightening explain of how the bad guys can bypass defenses in ways that were never contemplated when they were created.