34C3 - ASLR on the line

34C3 - ASLR on the line


Practical cache attacks on the MMU

Address Space Layout Randomization (ASLR) is fundamentally broken on modern hardware due to a side-channel attack on the Memory management unit, allowing memory addresses to be leaked from JavaScript. This talk will show how.

Address space layout randomization (ASLR) has often been sold as an
important first line of defense against memory corruption attacks
and a building block for many modern countermeasures. Existing
attacks against ASLR rely on software vulnerabilities and/or on
repeated (and detectable) memory probing.

In this talk, we show that neither is a hard requirement
and that ASLR is fundamentally insecure on modern cache-
based architectures, making ASLR and caching conflicting
requirements (ASLR xor Cache, or simply AnC). To support
this claim, we describe a new EVICT+TIME cache attack
on the virtual address translation performed by the memory
management unit (MMU) of modern processors. Our AnC attack
relies on the property that the MMU's page-table walks result
in caching page-table pages in the shared last-level cache (LLC).

As a result, an attacker can derandomize virtual addresses of a
victim's code and data by locating the cache lines that store the
page-table entries used for address translation.
Relying only on basic memory accesses allows AnC to be
implemented in JavaScript without any specific instructions or
software features. We show our JavaScript implementation can
break code and heap ASLR in two major browsers running on
the latest Linux operating system with 28 bits of entropy in 150
seconds. We further verify that the AnC attack is applicable to
every modern architecture that we tried, including Intel, ARM
and AMD. Mitigating this attack without naively disabling caches
is hard, since it targets the low-level operations of the MMU.
We conclude that ASLR is fundamentally flawed in sandboxed
environments such as JavaScript and future defenses should not
rely on randomized virtual addresses as a building block.



more » « less
Video Language:
wida1000 edited English subtitles for 34C3 - ASLR on the line
C3Subtitles edited English subtitles for 34C3 - ASLR on the line
C3Subtitles added new URL for 34C3 - ASLR on the line
C3Subtitles added a video: 34C3 - ASLR on the line
Format: Youtube Primary Original
Format: Youtube
This video is part of Amara Public.

Subtitles download

Incomplete subtitles (1)