Attack Defeats Memory Protection on Pretty Much Everything

Mar. 6, 2017  |  By Joel Odom & Chris M. Roberts

Researchers from VU Amsterdam have demonstrated a timing attack that defeats a common security measure in modern microcomputer architectures: address space layout randomization (ASLR).  ASLR is a technique to randomize the memory layout of a computer program so that flaws in the program's memory management are difficult to exploit. Unlike most attacks that exploit a software or firmware vulnerability, what VU Amsterdam found will exploit the physical hardware, affecting processors produced by technology giants such as Intel, Samsung, AMD, and Nvidia currently inside millions of products. The attack, which the researchers call the “AnC Attack,” exploits timing data leaked by memory management units on all of the computers they tested.  The flaw stems from the fundamental design of modern architectures, and is exploitable from JavaScript running on untrusted web pages.

IISP Analyst Chris M. Roberts: “As stated in the article, these findings indicate that an entire class of exploits, which were deemed ineffective due to ASLR, must once again be treated as higher levels of threat. The problem lies in the fact that JavaScript code running on a website can write to that cache and monitor how quickly the memory management unit is working. “By monitoring the MMU very closely, the JavaScript can find out about its own addresses, which it’s not supposed to do,” Gras of VUSec says. While software changes may be able to deter these type of attacks, they cannot be guaranteed to completely mitigate them.  A full fix will ultimately require replacing hardware with new architectures that prevent this key information from being leaked out of the processor’s cache. Chip manufactures are predictably downplaying the implications of these findings, and the role their processor architectures play in them. Manufacturing chipsets is prohibitively expensive, with years of research, testing, and fabrication required to produce a commercial-grade component, let alone one implementing what may be a radicle architecture change. VUSec is an excellent example of how a well-designed system can still leak critical information through side-channels.  While collecting data and making sense of that information is often challenging, once that process is defined and refined, execution is often reduced to relatively simple code which can be easily deployed; in this case, javascript running on a browser.”


IISP Analyst Joel Odom: “This story should be of interest to technical Source Port readers, but it also is a good example of why security is hard and how security fails in unexpected ways. When I shared this news with a colleague, he remarked, ‘[the attack] demonstrates how security is hard. Mitigations must be seriously contemplated to be effective, and even when they are, the complexity of microprocessors deceives our understanding.’ Exactly."




For further reading


More by the author(s)