Researchers circumvent security measure by attacking CPU

Researchers have presented a method to circumvent the security measure aslr. They do this by attacking a CPU component with a so-called side channel attack. They successfully carried out the attack on an Intel i7 CPU of the Haswell generation.

The attack makes it possible to circumvent ASLR, the researchers write in their paper. Aslr is a security measure present in many operating systems, for example Windows, OS X and Linux. The technique should make attacks on system memory, such as stack overflows, more difficult to execute. Such an attack allows an attacker to execute arbitrary code on a system. Aslr complicates this by designating random locations in virtual memory where programs can store important components, the researchers explain.

They write that their attack is aimed at the branch target buffer, which is part of the branch predictor. It is present in CPUs to gain speed by predicting which way a particular branch will go. The buffer stores the addresses of recently executed instructions and is shared by various processes. By causing a collision between a malicious user-level process and another user process, the researchers are able to predict where in memory processes are executing code. This should not be possible due to aslr.

The researchers successfully carried out the attack on an Intel Core i7-4800MQ quad-core processor in combination with Ubuntu 14.04. They do not clarify whether only Haswell processors are vulnerable to this method or whether other generations or CPUs from other manufacturers are also at risk. Ars Technica writes that an Intel spokesperson is investigating the paper. Attackers can use the new attack in combination with other malware to penetrate a system, the site said.

According to the researchers at the Universities of New York and California, software solutions to this problem are limited. A hardware solution would work better, for example by preventing collisions in the buffer that an attacker can exploit.