News has emerged of a worrying flaw in Intel’s processors which can be leveraged to bypass a major security feature that the majority of mainstream operating systems use (including Windows, macOS and Linux).
The security feature we’re talking about in this hardware-sabotages-software scenario is ASLR or Address Space Layout Randomisation, a memory protection measure that aims to defend against the likes of stack overflow attacks and other memory corruption nastiness.
Essentially, it aims to foil such exploits by randomising the address space locations of pieces of code, so an attacker can’t pin them down – and will probably cause a crash in any attempt to do so. And obviously the targeted application or OS crashing is a far more preferable result to having the system cracked open and left at the mercy of the attacker.
The bad news is that as Ars Technica reports, a professor in the Computing Science and Engineering department at the University of California at Riverside, Nael Abu-Ghazaleh, has worked with colleagues and found a way to bypass ASLR using an exploit in an Intel Haswell processor.
In a paper detailing their findings, the researchers wrote: “We demonstrated a successful attack on a system with Haswell CPU and a recent version of Linux kernel. We showed that our attack is robust and can bypass KASLR [Kernel Address Space Layout Randomisation] in a very short amount time.”
The flaw itself is in the processor’s branch predictor, with the researchers leveraging a side-channel in the branch target buffer which allowed them to successfully pin down where sections of code would be loaded, nullifying ASLR’s randomisation.
There are other ways to bypass ASLR, but this one is particularly effective compared to alternatives, and thus more than mildly concerning. Intel has been alerted to the findings, and the company is apparently evaluating the research.
The good news is that according to the professor and his colleagues, there are several possible remedies on both the software and hardware fronts. We’ll just have to wait for further feedback from Intel to see what can be done in terms of keeping ASLR solid.
- We pitch Intel against AMD: which chipmaker does processors better?