Hardware exploit allows ASLR side-channel attack on X86 processors
Wed 19 Oct 2016

Researchers have discovered a security exploit that is not immediately or completely susceptible to traditional software updates – since it exists at the hardware level of the X86 chipset architecture.
The vulnerability concerns Address Space Layout Randomization (ASLR), which protects the location of data stored on a computer, and most specifically mitigates against buffer overflow attacks.
But researchers from the State University of New York and the University of California at Riverside have successfully devised a ‘side-channel’ attack which obviates this protection. Bypassing ASLR permits an attacker to gain root control over a machine, and in the technique developed by the team, the branch target buffer – part of an accelerator for program performance – was used to re-map the supposedly anonymous locations of the data and facilitate the takeover.
The attack was carried out on ‘a recent version’ of Linux, but since the exploit is specific to hardware, it is not specific to any operating system, and therefore a potential approach vector for hackers in Windows, Apple OS or any other system which uses this feature of the X86 chipset (that’s all of them). However no equivalent tests have been made beyond the Linux environment.
Participating esearcher Abu-Ghazaleh, professor of computer science and engineering and electrical and computer engineering in UCR’s Bourns College of Engineering, commented “While most cybersecurity research considers software vulnerabilities and defenses, our research focuses on the underlying hardware and computer architecture, which also play important roles in computer security, both in terms of introducing new vulnerabilities as well as supporting more secure software.”
The researchers’ test attack only requires gaining control of a user-level (rather than a root) process in order to recover the address of a kernel routine, e.g. a system call handler in virtual memory.
The report notes that there is some scope to address the vulnerability in software, but since the attack vector is at kernel level, hardware revisions would be more suitable.
The research for this project was funded by the National Science Foundation, and is led by doctoral computer science student Dmitry Evtyushkin of the State University of New York at Binghamton.