Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 processor micro-architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others.
The attack, christened ASLR⊕Cache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU micro-architectures, which is tasked with improving performance for cache management operations.
AnC attack targets CPU cache management component
What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content.
"We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU," researchers said.
"For example, on the x86_64 architecture, our attack can find the offsets that are accessed by the MMU for each of the four-page table pages. The offset within each page breaks nine bits of entropy so even a perfect ASLR implementation with 36 bits of entropy is not safe."
In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS.
ASLR is a memory protection mechanism deployed with all major operating systems, which randomizes the location where code is executed in the memory. By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the PC's memory.
AnC attacks work via Chrome and Firefox on 22 CPU micro-architectures
Researchers said they successfully tested AnC JavaScript attacks via Chrome and Firefox on 22 different CPU micro-architectures, even despite several protections built within those browsers, such as broken JavaScript timers.
Even worse, researchers say AnC attacks can be used to revive previously blocked cache attacks, opening the door for many-years-old bugs, which vendors thought to have mitigated.
According to researchers, the only way users can protect themselves against AnC attacks is to deploy an extension like NoScript, which stops untrusted JavaScript code from running in the browser.
Issues with AnC attacks are tracked via several CVE identifiers.
- CVE-2017-5925 is assigned to track the developments for Intel processors
- CVE-2017-5926 is assigned to track the developments for AMD processors
- CVE-2017-5927 is assigned to track the developments for ARM processors
- CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers
Below are the 22 CPU models and micro-architectures that researchers tested and found vulnerable to AnC attacks. More micro-architectures could be vulnerable as well, as not all were tested.
CPU Model | Microarchitecture | Year |
Intel Xeon E3-1240 v5 | Skylake | 2015 |
Intel Core i7-6700K | Skylake | 2015 |
Intel Celeron N2840 | Silvermont | 2014 |
Intel Xeon E5-2658 v2 | Ivy Bridge EP | 2013 |
Intel Atom C2750 | Silvermont | 2013 |
Intel Core i7-4500U | Haswell | 2013 |
Intel Core i7-3632QM | Ivy Bridge | 2012 |
Intel Core i7-2620QM | Sandy Bridge | 2011 |
Intel Core i5 M480 | Westmere | 2010 |
Intel Core i7 920 | Nehalem | 2008 |
AMD FX-8350 8-Core | Piledriver | 2012 |
AMD FX-8320 8-Core | Piledriver | 2012 |
AMD FX-8120 8-Core | Bulldozer | 2011 |
AMD Athlon II 640 X4 | K10 | 2010 |
AMD E-350 | Bobcat | 2010 |
AMD Phenom 9550 4-Core | K10 | 2008 |
Allwinner A64 | ARM Cortex A53 | 2016 |
Samsung Exynos 5800 | ARM Cortex A15 | 2014 |
Samsung Exynos 5800 | ARM Cortex A7 | 2014 |
Nvidia Tegra K1 CD580M-A1 | ARM Cortex A15 | 2014 |
Nvidia Tegra K1 CD570M-A1 | ARM Cortex A15; LPAE | 2014 |
Research team includes experts in RAM attacks
This is the same research team that in the past years has experimented with different versions of the Rowhammer attack, using it to compromise PCs via Microsoft Edge, attack Linux virtual machines running on cloud servers, and root Android devices.
The Rowhammer attack consists of blasting a constant stream of data at a line of RAM memory cells, until their electrical charge is modified, resulting in alterations to nearby cells. The technique is complex, but Rowhammer attacks can be used to modify the RAM contents of remote computers.
Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos showing the attack in action.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now