Post

Breaking ASLR

Posted
By Filippo Visconti 2 min read

ASLR is fundamentally broken on modern processors. The MMU leaks virtual addresses when using CPU caches for fast lookups. This cannot be fixed in software.

AnC Attack

The ASLR^Cache (AnC) Attack

  • Page table walks performed by the MMU are cached in the LLC
  • An EVICT+TIME cache attack identifies the affected cache sets
  • The cache sets leak (some) information about the virtual address
  • Sliding identifies the page table entries, derandomizing ASLR
  • Timers and special allocations for AnC in JavaScript

The Last Level Cache (LLC)

On a recent Intel processor: 8192 cache sets, cacheline 64-byte.

Each 4KB page covers 64 distinct and non-overlapping cache sets. E.g.,accessing second cache lines of many pages, evicts all LLC sets that could map the second cacheline of any given page.

The LLC is inclusive of L1 and L2:

  • If a cache line is present in L1 or L2, it will be present in LCC
  • If a cache line is NOT present in the LLC, it won’t be in L1 or L2

Detecting Cache Lines of Page Table Pages

EVICT+TIME attack on cachelines of Page Table Pages Input: a memory area Output: Interesting cachelines

  1. Allocate a pool of pages to act as an eviction buffer
  2. Access the first page of the target buffer at offset O
    1. This brings the target and its page table pages in LLC
  3. Flush the TLB and (part of) the LCC
    1. Access all pages of the eviction buffer at offset L (̸= O)
  4. Time access to target buffer at O
    1. Is the access slower than when choosing another Lˆ?
    2. L hosts a page table cacheline

The Remaining Entropy

  • We know the cachelines hosting page table pages.
  • Each cacheline stores 8 page table entries.
  • We do not know which page table entry (3-bit × 4).
  • We do not know the page table level for each cacheline (4!).

Remaining Entropy = 12 bits + lg 4! = 16.5 bits

AnC’s Sliding Primitive

By moving inside the target buffer we force different translations

1) Buffer + a×4KB moves level1 page table entry by a slots 2) Buffer + b×2MB moves level2 page table entry by b slots 3) Buffer + c×1GB moves level3 page table entry by c slots 4) Buffer + d×512GB moves level4 page table entry by d slots -> Unique identifications of page table entries and page table levels

Conclusion

ASLR is no longer a good first line of defense. AnC attack breaks ASLR by side channeling the MMU. Mitigation is costly to implement in hardware.

hardware-security, lecture-notes
lecture-notes hardware-security AnC ASLR
This post is licensed under CC BY 4.0 by the author.