Researchers are claiming to have found a way to bypass a widely used defence against attempts to install malware by exploiting operating system or application vulnerabilities.
Address space layout randomization (ASLR) works to defend against a range of attacks by randomizing the locations of code in computer memory.
Now, in their paper, Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, researchers at the State University of New York and University of California describe a newly discovered flaw in Intel chips which allows them to bypass ASLR.
The researchers were able to launch a so-called 'side channel' attack on a Haswell chip’s branch target buffer (BTB), which resides in the branch predictor part of the CPU.
Doing so enabled them to work out where certain pieces of code were located, effectively undermining ASLR.
This could make a range of cyber-attacks far more effective – across Windows, Linux, OS X, Android and iOS – and highlights the need for chip designers to double down on security, according to commentators.
Alfredo Pironti, managing consultant at ethical hacking firm IOActive, claimed hardware side-channel attacks have been on the radar for a while.
“It is worth noting that these attacks are often more expensive and time consuming to conduct, compared to classical software attacks. Usually they also have stricter conditions, such as running a specific software on the victim’s machine and being able to collect CPU metrics,” he added.
“However, this doesn’t mean that we shouldn’t be vigilant. Cyber-criminals are more sophisticated, well-funded and – worst of all – patient than ever before, and are always looking for new and surprising ways to infiltrate. This is why it is vital that companies have their chips pen tested during the development stage, as the cost and complexity of remediating an attack of this kind is enormous.”
The researchers claim to have been able to carry out a successful attack and recover the kernel ASLR in just 60 milliseconds, targeting a system with Haswell CPU and 'recent' Linux kernel.