Boffins exploit Intel CPU weakness to run rings around code defenses
Branch buffer shortcoming allows hackers to reliably install malware on systems
US researchers have pinpointed a vulnerability in Intel chips – and possibly other processor families – that clears the way for circumventing a popular operating-system-level security control.
ASLR (address space layout randomization) is widely used as a defense against attempts by hackers to exploit software vulnerabilities to take control of computers.
By randomising the locations of kernel and application components in memory, ASLR limits the ability for evil code, injected into a system, to reliably exploit programming flaws and hijack the attacked application or operating system. Hackers need to know where key components lie in memory in order to successfully exploit a bug, a process that ASLR frustrates.
For example, take a booby-trapped PNG file that exploits a bug in an image editor. The software opens the PNG and is tricked into handing control of the processor to code smuggled within the picture – but the exploit code is now running blind. It cannot assume the location of key components that are needed to pivot from basic exploitation to a full compromise of the application and, next, the whole system. ASLR has juggled the libraries and other dependencies around at random, so an algorithm is needed to work out where things have been hidden.
The Intel chip flaw can be abused by hackers to bypass this protection, thus ensuring their attacks are much more effective. In order to pull off this technique, miscreants must be able to at least start running their malicious code within an application or operating system on the target machine.
The hack takes advantage of the CPU's branch target buffer, a mechanism present in many microprocessor architectures including Intel Haswell CPUs. Exploiting the buffer was demonstrated by the researchers on a Haswell-powered PC running Linux, and this attack is potentially effective against other platforms.
The BTB provides a history of branches taken by the processor as it runs through its code: after the CPU is told to make a decision, it usually jumps to another part of the program based on the outcome of that decision. For example, if something fetched from memory has a value greater than zero, then jump to location A or jump to location B if not.
If a jump location is in the history buffer then the CPU knows this branch is usually taken so can start priming itself with instructions from the jump landing point. That means branches routinely taken execute with minimal delay.
By flooding the BTB with a range of branch targets, hackers can observe the BTB refilling with values of regularly taken jumps. This allows the miscreants to work out where in memory the operating system has randomly placed the application's vital components. It takes a few tens of milliseconds to perform, we're told. The eggheads say this allows an “attacker to identify the locations of known branch instructions in the address space of the victim process or kernel.”
Their research, Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, by boffins at State University of New York at Binghamton and the University of California, Riverside, can be found here [PDF].
Alfredo Pironti, senior security consultant at IOActive, said the vulnerability shows that the security of physical IT (including chips) needs to be considered alongside more commonplace and less esoteric software flaws.
“Software isn’t always the easiest point of entry, particularly for those hackers that have a deeper knowledge of hardware and its vulnerabilities,” said Pironti, who added that the ASLR bypass attack is an example of a hardware side-channel attack, an already recognised class of assault.
“These attacks are often more expensive and time consuming to conduct, compared to classical software attacks,” Pironti explained. “Usually they also have stricter conditions, such as running a specific software on the victim’s machine and being able to collect CPU metrics. However, this doesn’t mean that we shouldn’t be vigilant. Cybercriminals are more sophisticated, well-funded and – worst of all – patient than ever before, and are always looking for new and surprising ways to infiltrate.
“This is why it is vital that companies have their chips pen-tested during the development stage, as the cost and complexity of re-mediating an attack of this kind is enormous,” Pironti concluded. ®