未加星标

Researchers bypass ASLR protection with simple JavaScript code

字体大小 | |
[前端(javascript) 所属分类 前端(javascript) | 发布者 店小二03 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

A group of researchers from the Systems and Network Security Group at VU Amsterdam have discovered a way to bypass address space layout randomization (ASLR) protections of major operating systems and browsers by exploiting a common feature of computer microprocessors.

By combining simple javascript code to target this feature with exploit code for browser or OS vulnerabilities, they were able to compromise vulnerable systems, as demonstrated in this video (on linux and Firefox):

What is ASLR?

As its name suggests, address space layout randomization’s goal is to prevent attackers from knowing and misusing an application’s code and data by randomizing its location in the virtual address space.

Most modern operating systems use this technique, including windows, maOS, Linux, several Unix-like OSes, Android, and iOS. Modern browsers also employ it.

The attack, and the feature that allows it

“The memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks. Unfortunately, this cache hierarchy is also shared by untrustred applications, such as JavaScript code running in the browser,” the researchers explained .

“Our attack relies on the interplay between the MMU and the caches during virtual to physical address translation―core hardware behavior that is central to efficient code execution on modern CPUs. We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU. As a result, an attacker can derandomize virtual addresses of a victim’s code and data by locating the cache lines that store the page-table entries used for address translation.”

This knowledge allows attackers to successfully execute malicious payloads on the targeted system, instead of crashing it.

The researchers have found that 22 different microarchitectures from Intel, ARM and AMD processors allow the observation of the MMU signal and, therefore, the attack. Also, it takes just a few minutes to execute it.

What now?

The researchers have dubbed the attack ASLR Cache (aka AnC), and say that fixing the problem is going to be difficult.

“Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical. Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software,” they noted.

They have disclosed their findings to the various processor, browser and OS vendors.

“Some processor vendors agreed with our findings that ASLR is no longer a viable security defense at least for the browsers. Others did not dispute our findings. From the browser vendors, most found AnC relevant,” they noted, and added that they’ve worked with the Apple Product Security Team to help them harden WebKit against the AnC attack.

They have offered more mitigation idea for both the hardware and software makers in their paper .

End users can protect themselves against such an attack by using plugins (e.g. NoScript, ScriptSafe) that prevent browsers from automatically running untrusted JavaScript present on web pages. Unfortunately, this also means that the fluidity of their web browsing will be somewhat affected.

Although the researchers will not release the JavaScript version of their attack, they predict that advanced adversaries could replicate their results in a matter of weeks, given the details they shared in their paper.

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

主题: JavaScriptJavaLinuxAndroidCPUAppleiOSAMDWindowsVU
分页:12
转载请注明
本文标题:Researchers bypass ASLR protection with simple JavaScript code
本站链接:http://www.codesec.net/view/534233.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(9)