ASLR has been defeated by JavaScript

[Mira Yurizaki]

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

 

ASLR, or Address Space Layout Randomization, is a technique used by operating systems to randomize the layout of where data are resident in RAM. For instance, one instance, all of the core components reside in address 0x1000, the next it resides in 0x2000. This is to prevent a class of attacks that read/write beyond a buffer into data that it shouldn't be accessing. Because the location of data in an ASLR system are not guaranteed, this makes those kinds of attacks infeasible.

 

However, there is a flaw that's been proven that even JavaScript of all things can exploit: the cache in CPU still knows where everything is. The JavaScript code instead pokes at cache to figure out where data are and uses that to figure out where that data lives in RAM.

Quote

In this paper, we show that the problem is much more serious and that ASLR is fundamentally insecure on modern cache-based architectures. Specifically, we show that it is possible to derandomize ASLR completely from JavaScript, without resorting to esoteric operating system or application features. Unlike all previous approaches, we do not abuse weaknesses in the software (that are relatively easy to fix). Instead, our attack builds on hardware behavior that is central to efficient code execution: the fast translation of virtual to physical addresses in the MMU by means of page tables. As a result, all fixes to our attacks (e.g., naively disabling caching) are likely too costly in performance to be practical. To our knowledge, this is the first attack that side-channels the MMU and also the very first cache attack that targets a victim hardware rather than software component.

Here's the problem though: caching is vital to the performance of a CPU. So you can't just simply disable cache and call it a day. And it's not like any of the processor manufacturers can apply a fix to any existing parts or come up with something overnight because it's a hardware issue.

[Goldensapling]

I've always known JavaScript was the best language ever created

[themctipers]

 

qwertyuoip successfully jailbroke ios 10 with just another javascript exploit

[tlink]

Why did nobody think of that before? Or is this just the javascript methode proven?

[2FA]

I wonder if Zen's built in encryption engine will solve this issue? I know it's supposed to encrypt the data in RAM but I'm not sure if it includes cache.

[Mira Yurizaki]

3 minutes ago, DeadEyePsycho said:

I wonder if Zen's built in encryption engine will solve this issue? I know it's supposed to encrypt the data in RAM but I'm not sure if it includes cache.

It depends on how deep the encryption goes. It's probably not on the processor level.

 

Ultimately though the thing is you cannot have a randomized layout and have someone know where data lives at the same time. This may be a fundamental problem with the JavaScript ecosystem. If this were something you could do with a program written in C, I wouldn't really bat an eye as much. By JavaScript? Why does an application level language have access to intimate hardware details?

[SSL]

29 minutes ago, M.Yurizaki said:

It depends on how deep the encryption goes. It's probably not on the processor level.

 

Ultimately though the thing is you cannot have a randomized layout and have someone know where data lives at the same time. This may be a fundamental problem with the JavaScript ecosystem. If this were something you could do with a program written in C, I wouldn't really bat an eye as much. By JavaScript? Why does an application level language have access to intimate hardware details?

 

From the paper:

 

Quote

By executing specially crafted memory access patterns on a commodity Intel processor, we are able to infer which cache sets have been accessed after a targeted MMU PT walk when dereferencing a data pointer or executing a piece of code. As only certain  addresses map to a specific cache set, knowing the cache sets allows us to identify the offsets of the target PT entries at each PT level, hence derandomizing ASLR.

 

Quote

In order to allocate a large enough JITed code area we spray JavaScript functions in an asm.js module. We can tune the size of these functions by changing the number of their statements to be compiled by the JIT engine. The machine code of these functions start  from  a browser-dependent but known offset in a page and follow each other in memory and since we can predict their (machine code)size on our target browsers, we know the relative offset of each function from the  beginning of the asm.js object.

 

Basically, they execute code with a known offset from a location in memory. Then, using the execution time, they are able to determine whether the code resides in cache or in memory. From there, it is possible to defeat ASLR because certain memory pages will only map to certain cache lines.

[Belgarathian]

Javascript is cancer... Again. 

[Mira Yurizaki]

44 minutes ago, Belgarathian said:

Javascript is cancer... Again. 

I would like to point out this is not a problem specific to JavaScript, but to computer systems as a whole. They simply proved you can use JavaScript to do it with.

[Doobeedoo]

Well wow heh.

[Belgarathian]

1 hour ago, M.Yurizaki said:

I would like to point out this is not a problem specific to JavaScript, but to computer systems as a whole. They simply proved you can use JavaScript to do it with.

Agree... It's still cancer though. 

[SSL]

24 minutes ago, Belgarathian said:

Agree... It's still cancer though. 

 

Fine. This thread is not the place to air your subjective views. Please continue using Brainfuck or whatever language turns your crank.

[Mira Yurizaki]

1 minute ago, SSL said:

Fine. This thread is not the place to air your subjective views. Please continue using Brainfuck or whatever language turns your crank.

I made a Brainfuck interpreter once. I'd say it's a nice exercise in making some kind of interpreter. Maybe I should go back and try making a LOLCODE compiler.

 

(I say this as my only experience is making an assembler from a fictional assembly language during college)

[samiscool51]

sooo, i should block javascript from running on my system?

hmmm..... maybe, maybe not......

i don't know lets see how this "exploit" goes, will it install malware on our systems without us knowing (that already happens) or will it steal our data and sell it on the black market? (again already happens)

it's javascript, it's pretty powerful but can't run outside a browser without a third-party program helping it (i think, don't quote me).

also maybe people should rename ASLR to ASMR, just for jokes...

and it give you a sporting chance, i will turn off the javascript programed neurotoxin!, i'm joking of course, goodbye!

ha, portal is still funny... (sometimes)

[NumLock21]

Eons ago, motherboards used to let you disable the cache on a CPU. Now they stopped doing it.

[SSL]

34 minutes ago, samiscool51 said:

i don't know lets see how this "exploit" goes, will it install malware on our systems without us knowing (that already happens) or will it steal our data and sell it on the black market? (again already happens)

 

ASLR is a fundamental security measure of modern system architectures. Rendering it ineffective means that a wide range of attacks are easier to implement, any number of which lead to arbitrary code execution. That means that an attack can take complete control of your system.

 

35 minutes ago, samiscool51 said:

it's javascript, it's pretty powerful but can't run outside a browser without a third-party program helping it

 

It doesn't need to run outside the browser itself. It can be leveraged to execute arbitrary code outside the browser, though.

 

As always, disabling javascript and other plugins is a useful mitigation.

[samiscool51]

2 hours ago, SSL said:

(bump)

i said not to quote me....

also is your arch-enemy's name SSH?

having your own arch-enemy, thats cool........

[Mira Yurizaki]

15 hours ago, samiscool51 said:

i don't know lets see how this "exploit" goes, will it install malware on our systems without us knowing (that already happens) or will it steal our data and sell it on the black market? (again already happens)

The main point is that previous exploits were from software vulnerabilities that are relatively easy to fix. This is a hardware vulnerability that you can't really fix. Well, you can by disabling cache, but your computer's performance will basically tank.

[samiscool51]

18 hours ago, M.Yurizaki said:

The main point is that previous exploits were from software vulnerabilities that are relatively easy to fix. This is a hardware vulnerability that you can't really fix. Well, you can by disabling cache, but your computer's performance will basically tank.

did that....

long story short

windows doesn't like having no-cache! it hates it with a passion!

[vorticalbox]

On ‎15‎/‎02‎/‎2017 at 5:24 PM, Goldensapling said:

I've always known JavaScript was the best language ever created

I know you're joking but you're not completely wrong seeing as all it takes is a browser and it runs on everything that supports a browser.