Jump over ASLR: Attacking branch predictors to bypass ASLR
- 1 October 2016
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
Abstract
Address Space Layout Randomization (ASLR) is a widely-used technique that protects systems against a range of attacks. ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code. In this paper, we develop an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB). Our attack exploits the observation that an adversary can create BTB collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf. These collisions, in turn, can impact the timing of the attacker's code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel. We demonstrate that our attack can reliably recover kernel ASLR in about 60 milliseconds when performed on a real Haswell processor running a recent version of Linux. Finally, we describe several possible protection mechanisms, both in software and in hardware.Keywords
This publication has 37 references indexed in Scilit:
- Covert channels through branch predictorsPublished by Association for Computing Machinery (ACM) ,2015
- Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating SystemsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- Last-Level Cache Side-Channel Attacks are PracticalPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- From Zygote to Morula: Fortifying Weakened ASLR on AndroidPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2014
- SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption AttacksPublished by Internet Society ,2014
- TimeWarpACM SIGARCH Computer Architecture News, 2012
- Performance Implications of Cache Affinity on Multicore ProcessorsLecture Notes in Computer Science, 2008
- The AMD opteron processor for multiprocessor serversIEEE Micro, 2003
- Virtual memory in contemporary microprocessorsIEEE Micro, 1998
- Evaluating the Performance of Cache-Affinity Scheduling in Shared-Memory MultiprocessorsJournal of Parallel and Distributed Computing, 1995