Stories
Slash Boxes
Comments

SoylentNews is people

Flaw in Intel Chips Could Make Malware Attacks More Potent

posted by janrinok on Friday October 21 2016, @04:58AM   Printer-friendly
from the that-wasn't-the-plan dept.

martyb and MrPlow write in with the same story:

A novel approach has found a way to take information leaked by recent Intel processors and use that to bypass Address Space Layout Randomization (ASLR). A story at Ars Technica, reports on research that allows attackers to bypass ASLR:

Researchers have devised a technique that bypasses a key security protection built into just about every operating system. If left unfixed, this could make malware attacks much more potent.

[...] Abu-Ghazaleh and two colleagues from the State University of New York at Binghamton demonstrated the technique on a computer running a recent version of Linux on top of a Haswell processor from Intel. By exploiting a flaw in the part of the CPU known as the branch predictor, a small application developed by the researchers was able to identify the memory locations where specific chunks of code spawned by other software would be loaded. In computer security parlance, the branch predictor contains a "side channel" that discloses the memory locations.

[...] A table in the predictor called the "branch target buffer" stores certain locations known as branch addresses. Modern CPUs rely on the branch predictor to speed up operations by anticipating the addresses where soon-to-be-executed instructions are located. They speculate whether a branch is taken or not and, if taken, what address it goes to. The buffers store addresses from previous branches to facilitate the prediction. The new technique exploits collisions in the branch target buffer table to figure out the addresses where specific code chunks are located.

[...] On Tuesday, the researchers presented the bypass at the IEEE/ACM International Symposium on Microarchitecture in Taipei, Taiwan. Their accompanying paper, titled "Jump Over ASLR: Attacking the Branch Predictor to Bypass ASLR [PDF]," proposes several hardware and software approaches for mitigating attacks.

It seems to me that any technique that conditionally provides improved execution speed can potentially become subject to a side-channel attack. If so, is the ultimate solution one where each instruction is restricted to running no faster than in its worse-case? Or that every instruction takes a fixed number of clock ticks? What about higher-level software routines that take different amounts of time dependent on their inputs? Is there a general solution to this class of side-channel leakage or are we stuck with a perpetual game of cat-and-mouse?

Also at: https://www.helpnetsecurity.com/2016/10/19/bypass-aslr-flaw-intel-chip/

Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Flaw in Intel Chips Could Make Malware Attacks More Potent | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by FatPhil on Friday October 21 2016, @07:16AM

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Friday October 21 2016, @07:16AM (#417142) Homepage
    He's crediting Aciicmez in 2007 for what what done by Bernstein in 2005. An apparent complete lack of mention of DJB seems bizarre, given how important his work was in the field. Perhaps they've met him and didn't get on! (Aciicmez, however, makes reference to the prior side-channel attacks by DJB correctly.)
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by TheRaven on Friday October 21 2016, @11:27AM

    by TheRaven (270) on Friday October 21 2016, @11:27AM (#417191) Journal
    This is why I gave up reading Ars when Hannibal left. He's also mischaracterising a side channel as a 'flaw'. This is not something specific to Haswell (that's just where the PoC was done), it's an attribute of any branch predictor: you can induce aliasing, you can use it to probe. It's no different from cache-related side channels: everything that you do to increase performance in a way that's invisible to the program is likely to be expose some of the detail that it's hiding via timing information.
    --
    sudo mod me up