A flaw in chip hardware might allow attackers to circumvent ALSR protection in operating systems and applications.
Running a recent version of Linux on top of a Haswell processor from Intel, researchers from the State University of New York at Binghamton were able to exploit a flaw in the part of the CPU known as the branch predictor.
ASLR is short for “address space layout randomization,” a security technique that changes the memory location used by software in operating systems and applications so that malware cannot deliberately write to those locations and leverage a vulnerability. Branch predictor is an application developed by the researchers at SUNY Binghamton that contains a “side channel” that discloses the memory locations. In other words the application can predict where specific chunks of code might be spawned if other software were loaded.
Nael Abu-Ghazaleh, a computer scientist at the University of California at Riverside told Ars Technica “ASLR is an important defense deployed by all commercial operating systems. It is often the only line of defense that prevents an attacker from exploiting any of a wide range of attacks (those that rely on knowing the memory layout of the victim). A weakness in the hardware that allows ASLR to be bypassed can open the door to many attacks that are stopped by ASLR. It also highlights the need for CPU designers to be aware of security as part of the design of new processors.”
There’s nothing to prevent attackers from creating their own branch predictor. According to Ars, the attacker’s own exploit could then use the disclosed memory location to ensure malicious payloads are successfully executed by a targeted computer, instead of being flushed without ever being run, as is normally the case when ASLR is active.