Security researchers have claimed that Intel's Haswell microprocessors can be abused to circumvent a security mechanism intended to prevent stack overflows and arbitrary code execution.
The claims were made by researchers at the universities of Binghamton and California.
The feature, called address space layout randomisation (ASLR), randomises memory addresses used by key processes to thwart arbitrary code execution attacks. The idea is that attackers won't know where to inject exploit shellcode and can't therefore craft malware accordingly.
But the researchers claimed in a paper presented at this week's IEEE/ACM International Symposium on Microarchitecture in Taipei that ASLR can be "broken" by using the branch target buffer (BTB), a caching mechanism used by the CPU, to cause it to leak ASLR memory addresses.
"The BTB stores target addresses of recently executed branch instructions so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle," said the researchers in the paper titled Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR (PDF).
"Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible."
The researchers demonstrated the attack on an Intel Haswell-based PC running a "recent version" of Linux, although they pointed out that ASLR features are also deployed in Windows, Android and Apple's iOS and macOS.
It took just 60 milliseconds to expose the kernel ASLR using this technique. "ASLR implementations across different operating systems differ by the amount of entropy used and by the frequency at which memory addresses are randomised," they explained.
"These characteristics directly determine the resilience of ASLR implementations to possible attacks. 32-bit operating systems have a much smaller addressable space, limiting the amount of space that can be dedicated to randomisation, making it possible to build fast brute-force attacks.
"The randomisation frequency can range from a single randomisation at boot or compile time to dynamic randomisation during program execution. More frequent re-randomisation reduces the probability of a successful attack."
This is not the first attack on ASLR demonstrated by security researchers, but they typically require the use of additional vulnerabilities.
The paper also highlighted some potential mitigations against ASLR attacks, such as more comprehensive randomisation and changes to the way in which the BTB addressing mechanism works.
The research was the work of Dmitry Evtyushkin and Dmitry Ponomarev at the University of Binghamton and Nael Abu-Ghazaleh at the University of California.
Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
38-year-old Alexander Vinnik faces up to 55 years in jail
Threadripper also available from today if you want a lot more power - but you'll have to wait for the motherboards to appear
Personal data belonging to hundreds of thousands of customers was stolen
Android targeted by cyber arms merchants disguising military-grade malware as innocuous apps, warns Google
Lipizzan malware infected devices in two-stage process that evaded Google Play security processes