SoylentNews

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

A group of researchers from the Systems and Network Security Group at VU Amsterdam have discovered a way to bypass address space layout randomization (ASLR) protections of major operating systems and browsers by exploiting a common feature of computer microprocessors.

By combining simple JavaScript code to target this feature with exploit code for browser or OS vulnerabilities, they were able to compromise vulnerable systems, as demonstrated in this video (on Linux and Firefox):

"The memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks. Unfortunately, this cache hierarchy is also shared by untrustred applications, such as JavaScript code running in the browser," the researchers explained.

"Our attack relies on the interplay between the MMU and the caches during virtual to physical address translation—core hardware behavior that is central to efficient code execution on modern CPUs. We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU. As a result, an attacker can derandomize virtual addresses of a victim's code and data by locating the cache lines that store the page-table entries used for address translation."

This knowledge allows attackers to successfully execute malicious payloads on the targeted system, instead of crashing it.

Ruh-Roh, Raggy...

Source: https://www.helpnetsecurity.com/2017/02/15/bypass-aslr-protection-javascript/.
Also at: https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/.

Original Submission