aslr cracked: this may be the most difficult large-scale vulnerability to fix

Posted by fierce at 2020-03-05

Over the past decade, hackers who want to hack into computers face a tough task: even if they have malicious code running on the target computer, they have to find out where the code is running in memory. This is because windows, Android, and every other modern operating system uses security measures that randomize the memory location of the process. This makes the process of digital intrusion seem like trying to rob houses in complete darkness.

But now, a group of Dutch researchers have discovered a technology that can crack the address space randomization (ASLR) measure, providing hackers with a guide to mark their own positions in unfamiliar computers. This means that any common memory leak found in software applications may lead to deeper control of the target PC or smartphone. And because the attack uses hardware rather than software, millions of devices are exposed to risk - no matter what operating system is loaded. It's naive to think of a software update only to completely fix this vulnerability.

Return to ASLR

"Vulnerabilities are everywhere, but ASLR makes them hard to exploit," said Ben glass, a researcher at the Free University of Amsterdam and his colleague Kawi lazawi, who developed the attack. The attack technology allows the non exploitable vulnerability to be exploited again. In a sense, it's thrown us all back to the '90s when we were all insecure. "

Their attack methods really make a big deal of sense, because attackers can only use JavaScript, that is to say, just visiting a malicious website can trigger. The research team, vusec, released a video to show how to run it in Firefox. "No one has ever done this on a web page," said Jos o'ring, a security expert on microarchitecture. "It's a very subtle and cunning example of this kind of attack."

This kind of attack is as difficult to repair as it is easy to deploy. VUSec technology takes advantage of the deepest assets of computer hardware - microprocessors made by companies such as Intel, AMD, Nvidia and Samsung. To make ASLR work again, I'm afraid it can't be done by a quick update of operating system or browser. We need to redesign and replace these chips.

Crack safety

The attack exploits the interaction between microprocessors and memory: the processor has a component called a memory management unit (MMU) that maps the address of the computer's stored program in memory. To track these addresses, MMU frequently queries the directory named page table.

The key of vusec attack is that the device usually stores the page table in the processor cache - a small piece of memory that allows the most frequently accessed information to be called by the computing core at any time. This method can improve the chip processing speed and efficiency.

However, a malicious JavaScript code running on a web page can also be written to that cache. Most importantly, it can also view the working speed of MMU at the same time. "By closely monitoring the MMU, JavaScript code can find its own address - which is not a good thing for code to do." Glass said.

The attack by vusec researchers turned MMU speed into a prompt message. The attack code will replicate the cache one unit at a time until MMU slows down. This is the sign that no matter which part of the cache is rewritten, MMU will look up a page table -- MMU will slow down because it has to run back to normal random access memory to find a copy of the page table, rather than directly look up it in the processor cache.

MMU needs to perform 4 separate page table queries to find the physical address of any given code segment. Therefore, the attack will rewrite the cache four times and find four places in the cache where the page table is stored. Every time, the malicious program will record the time when MMU slows down. The time taken by MMU to go to this deceleration time becomes the prompt information of malicious code's address in the cache. When the device copies the attack code from the cache to ram, the code memory address ASLR wants to hide will be exposed.

Some of the attacks are like the ancient way of prying the safe: the stethoscope is pasted on the safe, the dial is slowly turned, and the sound of the dial is carefully listened to. The cache is like a paddle in the safe that emits these full of prompts, which means clicking. If you can understand it, you can open the door and enter it smoothly.

Big holes that are hard to fix

Vusec reported the situation to the Dutch national network security center, which contacted all affected chip manufacturers and software companies, including Intel, AMD, Samsung, NVIDIA, Microsoft, apple, Google and Mozilla - three months ago. The researchers gave these companies standard windows to solve the problem, and until now their findings have been made public. Moreover, the researchers do not intend to publish any source code to prove their attack. However, they warn that highly skilled hackers can reverse the technology from what they have already announced within weeks.

At the same time, glass gives some emergency suggestions. You can install plug-ins, such as noscript from Firefox or scriptsafe from chrome, to block JavaScript on the web page. Browser manufacturers can also reduce the accuracy of script measurement time and prevent script from monitoring the speed of MMU.

At least one company has begun to mitigate the threat. Apple released a software update designed to enhance Safari, but did not reveal exactly what the update did. An apple spokesman said the company also distributed an action plan to other affected manufacturers, such as suppliers of chips used by apple.

A full fix will eventually require replacement of hardware, not software. The device will need a new chip based on the new architecture -- MMU and the page table in the processor cache are isolated from each other. "Because the vulnerability is so low-level, the software layer on it can make it more difficult to exploit, but it can't make the vulnerability disappear," glass said

Intel, Microsoft and Mozilla handled the incident in a low-key way. "We are sure this is not a security issue," Microsoft PR said in a statement to wired Intel said the study "does not represent a significant change in the security of Intel Architecture systems." A spokesman for all three companies pointed out that the attack was a threat only when used in conjunction with other memory leaks. Samsung, NVIDIA, AMD and Google did not respond to wired's request for comment.

However, Microsoft and Intel point out that it's not reassuring to just beat ASLR. When ASLR is broken, hackers can reuse the common memory leaks blocked by ASLR. Old loopholes radiate a new rhythm.

If technology companies do not pay attention to ASLR attacks, the result may be a large number of new methods, millions of innocent users who mistakenly enter the wrong web page are waiting to be hacked. "Attackers have been on the road to becoming smarter. If computers become more and more stupid, the advantage will undoubtedly be on the attacker's side. "

Related reading

Intel CPU exposure can be exploited to bypass ASLR