Intel Processor Flaw Allows Hackers To Bypass Security Mechanisms

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
A pair of researchers from the State University of New York at Binghamton have demonstrated a technique using Intel's Haswell processors that bypasses ASLR, a security protection built into most current operating systems. Obviously, this could have serious implications if left unfixed.

A flaw in Intel's processors could allow attackers to bypass security mechanisms and inject malware into code, security researchers have warned. The technique works on almost every operating system and enables more effective software exploits. The researchers behind the discovery developed a bypass for Intel's Address Space Layout Randomization (ASLR) technology on its Haswell series of processors.
 
The question the paper doesn't really answer is how effective this would be in a real-world attack vice a lab machine.
 
^ yeah, it's a pretty sophisticated attack and there are likely easier exploits in real-life attacks. I was quickly browsing through the paper to look at mitigation techniques, and unfortunately it's something that would need a work-around at the hardware level to completely fix (BTB collisions, made possible by relatively low entropy randomization).

This is why I'm still using Ivy Bridge! ;)
 
^ yeah, it's a pretty sophisticated attack and there are likely easier exploits in real-life attacks. I was quickly browsing through the paper to look at mitigation techniques, and unfortunately it's something that would need a work-around at the hardware level to completely fix (BTB collisions, made possible by relatively low entropy randomization).

This is why I'm still using Ivy Bridge! ;)

Sorry boss:
Abu-Ghazaleh told SearchSecurity that although the team used Intel's Haswell chips for testing, "It's likely that [other Intel chips] are vulnerable as well since they use the same general principles for the branch predictor, but the specifics and whether we can recover all of ASLR depends on the configuration."
 
Paid for by the NSA. Time to write a patch to move the backdoor. Damn kids these days don't respect the "stay out, nothing to see here" signs.
I wonder how long their warranty period lasts. Do they get a new feature now that this one was compromised? The NSA should demand another one that's not known!
 
^ yeah, it's a pretty sophisticated attack and there are likely easier exploits in real-life attacks. I was quickly browsing through the paper to look at mitigation techniques, and unfortunately it's something that would need a work-around at the hardware level to completely fix (BTB collisions, made possible by relatively low entropy randomization).

This is why I'm still using Ivy Bridge! ;)

Would be nice if people didn't use misleading headlines....

Basically, this applies to pretty much every chip to ever use a Branch Target Buffer. AKA, any chip you would ever want to use: ARM, Power, Alpha, MIPS, AMD, Intel et al.

And the flaw isn't in the hardware. It is in the software. ASLR was and always will be effectively snake oil. It is somewhat hilarious that anyone actually relied on it. It is at its basis "Security through obscurity". AKA, the biggest no no in all security systems.
 
Is Haswell more risky than other architectures or generations of Intel chips?

It is no more risky than Power, ARM, Alpha, MIPS, SPARC, etc. This isn't a hardware bug. This is the side effect of Branch Target Buffers working as intended and as designed. BTBs cache things to make things faster. All this "exploit" does is use timing analysis around that caching to determine ASLR layout. It would be like saying that L2 caches having different latency for a hit or miss is a bug.
 
No worries, Intel and NSA have plenty more backdoors. You know, for security reasons!
 
I'm trying to understand how this works.

ASLR is implemented entirely in software on the OS kernel level, right?

So what we are talking about is potential exploits circumventing the software ASLR by somehow getting cached memory addresses in the branch predictor?
 
I'm trying to understand how this works.

ASLR is implemented entirely in software on the OS kernel level, right?

So what we are talking about is potential exploits circumventing the software ASLR by somehow getting cached memory addresses in the branch predictor?

It is basically a timing attack. You do branches to various locations and record the time it takes. By analyzing the timing, you end up determining which addresses correspond to aliased memory locations that contain other data/programs. Eventually, you can map out the ASLR locations.
 
Intel, bringing you incremental upgrades, and offering intel about you with hidden features and goodies. It's likely not just Intel doing this at the hardware level.
 
Intel, bringing you incremental upgrades, and offering intel about you with hidden features and goodies. It's likely not just Intel doing this at the hardware level.

eh? this isn't really a hardware issue. This is a software issue. ASLR was never intended to be more than a bandaid. And I'm almost certain that this attack will work on any CPU shipped at least within the last 5 years, including your smartphone, including AMD, etc.
 
eh? this isn't really a hardware issue. This is a software issue. ASLR was never intended to be more than a bandaid. And I'm almost certain that this attack will work on any CPU shipped at least within the last 5 years, including your smartphone, including AMD, etc.

I'm not really sure it's a fault of either the software or the hardware to be honest.

It just seems like ASLR tech isn't compatible with modern branch prediction methods.

ASLR is a nice to have. It makes things more difficult for those seeking to compromise a system, but it's not an end all. Many popular server platforms don't even have it (FreeBSD notably lacks it, and there are a TON of enterprise network appliances based on FreeBSD, like pfSense and FreeNAS)
 
I'm not really sure it's a fault of either the software or the hardware to be honest.

It just seems like ASLR tech isn't compatible with modern branch prediction methods.

ASLR is a nice to have. It makes things more difficult for those seeking to compromise a system, but it's not an end all. Many popular server platforms don't even have it (FreeBSD notably lacks it, and there are a TON of enterprise network appliances based on FreeBSD, like pfSense and FreeNAS)

Um, BTBs were around before ASLR, so one could say ASLR was never compatible.
 
Um, BTBs were around before ASLR, so one could say ASLR was never compatible.

Fair comment.

But even with BTB's providing a way to work around the ASLR, it still makes it a lot more complicated than if there were no ASLR at all, so there's that.
 
Fair comment.

But even with BTB's providing a way to work around the ASLR, it still makes it a lot more complicated than if there were no ASLR at all, so there's that.

My understanding is that this flaw allows ASLR to be bypassed in 60 milliseconds by any malware that deploys it.
 
Back
Top