An error was detected in the Intel processors that allows to bypass the ASLR protection

Address Space Randomization (Address Space Layout Randomization, abbreviated as ASLR) is a security mechanism built into popular operating systems. Its essence is reduced to the randomization of virtual memory addresses of various data structures - the location in the memory of the target structure is difficult to predict, so the chances of a successful attack are significantly reduced. Earlier in our blog, we talked about the ASLR device on the example of Windows 8 .

In mid-October 2016, a group of US information security researchers from California (Riverside) and New York (Binhampton) universities published a description of the attack technique, which uses an error in Intel processors to bypass ASLR.
')
The researchers were able to detect an error in the work of a part of the Haswell processor, which is called a predictor - using its developed application, it was able to predict the locations in which other programs will load data.

The predictor contains the table “buffer target branch” (branch target buffer), which stores the location in memory (the so-called addresses) branches. Modern processors use branch predictor to speed up memory operations - this is achieved due to the fact that the system can "predict" the addresses where the instructions are located, which will soon be executed. To facilitate the “prediction” process, the addresses of previously used branches are also stored in buffers. The attack technique uses a collision in the target buffer table — it can be used to find out where the specific pieces of code are located.

Thus, if an attacker creates a simple application that uses this ASLR bypass mechanism, which will work in conjunction with an exploit of any vulnerability of the operating system itself, this will open the possibility for remote execution of malicious code.

According to the researchers, their method makes it possible to equally successfully bypass the ASLR mechanisms implemented in both Microsoft Windows and Apple's OS X. Currently, experiments are continuing to find out whether the new ASLR bypass technique works on processors of other architectures.

The researchers presented their ASLR bypass technique at the IEEE / ACM International Symposium on Microarchitecture conference held in Taipei (Taiwan) - they demonstrated it on a computer with a Haswell processor running the latest version of Linux.

Intel representatives said they are studying the facts presented in the study .