ASLR Apocalypse: ‘AnC’ Attack Bypasses ASLR On At Least 22 CPU Microarchitectures

Status
Not open for further replies.

bit_user

Splendid
Ambassador
I think I get why this is important, but the author should take an extra paragraph and explain it. As I understand it, ASLR is not an exploit, in and of itself, but rather a protection used to guard against certain other exploits. The effect of breaching it simply removes a layer of defense.

I searched, but didn't see a good explanation of that exploit. What does it stand for?

Anyway, I don't like where this is headed:
Microsoft patched the specific vulnerability that allowed the attack to work by disabling Edge’s memory deduplication feature.
the same cache hierarchy that is used by the memory management units (MMUs) of the CPU to efficiently execute code is also shared by untrusted code in a browser, such as JavaScript.
“Jump over ASLR,” a recent hardware flaw found in Intel’s branch predictors, that also allows attackers to bypass the ASLR protection.
Basically, these attacks are undermining all of the hardware & software tricks to make CPUs & Javascript fast. I worry that if browser and OS developers really took all these exploits seriously, we could experience performance regressions of a decade or more.
 

Giroro

Honorable
Jan 22, 2015
655
103
11,190
13
Unfortunately, as programming languages get more sophisticated, computer scientists and software engineers lose track of what the computer is actually doing.

This is also a major contributor to why software is getting exponentially more bloated. Even though x86 has been the defacto standard in PCs for years, most newer programmers don't even have a basic understanding of the architecture's instruction set. You can't trust someone like that to properly secure or optimize their code, so that work falls on the OS and compiler, respectively.
 

targetdrone

Distinguished
Mar 26, 2012
304
2
18,785
0
Don't worry folks, it is still perfectly safe to buy that WiFi enable toilet you can flush from your smartphone while at work, no hacker will ever use it for evil purposes.
 

bit_user

Splendid
Ambassador
This "exploit" has nothing directly to do with root or NX bit. However, they're related.

Basically, address randomization is a technique to prevent people from using buffer overflows and other tricks, in order to modify program memory. When you use a buffer overflow exploit, it's with a goal in mind. The objective is to write some specific block of data in a specific location, in order to take control of the program. So, you need to know the relative location of the target memory block. Address randomization obscures this, breaking most of these exploits. What they showed is how an array of tricks can be used to determine the memory map, which you can then use to re-enable other exploits involving buffer overflows, etc.

Now, NX bit and access privileges are both additional layers of protection. NX bit shuts down most code modification exploits, but not in all cases. Not running your browser as admin/root limits the extent to which it can compromise the rest of the system (unless combined with a privilege escalation exploit).

Security is all about layers of protection. Basically, you just want to be difficult enough to hack that it's not worthwhile. Perfect security is an illusion.
 

ZolaIII

Honorable
Sep 26, 2013
176
0
10,690
1
Actually this remaindes me of so called "Quadrooter" CVE's (actually two of them). As a matter a fact it reminds me so much that this is a probably a reason why QC SoC's aren't listed hire. The thing is it doesn't have to come to the ASLR, it can be prevented on earlier layers by more tightened access control privileges & better verification, which actual quadrooter showed us & by the way implementation whose fairly simple.
Think autor needs to explain the cause how exploit comes to be used much better rather than that it can bypass a certain security mechanism.
 
Status
Not open for further replies.

ASK THE COMMUNITY