The attack, christened ASLR⊕Cache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU micro-architectures, which is tasked with improving performance for cache management operations.
"We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU," researchers said.
"For example, on the x86_64 architecture, our attack can find the offsets that are accessed by the MMU for each of the four-page table pages. The offset within each page breaks nine bits of entropy so even a perfect ASLR implementation with 36 bits of entropy is not safe."
In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS.
ASLR is a memory protection mechanism deployed with all major operating systems, which randomizes the location where code is executed in the memory. By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the PC's memory.
Even worse, researchers say AnC attacks can be used to revive previously blocked cache attacks, opening the door for many-years-old bugs, which vendors thought to have mitigated.
Issues with AnC attacks are tracked via several CVE identifiers.
Below are the 22 CPU models and micro-architectures that researchers tested and found vulnerable to AnC attacks. More micro-architectures could be vulnerable as well, as not all were tested.
|Intel Xeon E3-1240 v5||Skylake||2015|
|Intel Core i7-6700K||Skylake||2015|
|Intel Celeron N2840||Silvermont||2014|
|Intel Xeon E5-2658 v2||Ivy Bridge EP||2013|
|Intel Atom C2750||Silvermont||2013|
|Intel Core i7-4500U||Haswell||2013|
|Intel Core i7-3632QM||Ivy Bridge||2012|
|Intel Core i7-2620QM||Sandy Bridge||2011|
|Intel Core i5 M480||Westmere||2010|
|Intel Core i7 920||Nehalem||2008|
|AMD FX-8350 8-Core||Piledriver||2012|
|AMD FX-8320 8-Core||Piledriver||2012|
|AMD FX-8120 8-Core||Bulldozer||2011|
|AMD Athlon II 640 X4||K10||2010|
|AMD Phenom 9550 4-Core||K10||2008|
|Allwinner A64||ARM Cortex A53||2016|
|Samsung Exynos 5800||ARM Cortex A15||2014|
|Samsung Exynos 5800||ARM Cortex A7||2014|
|Nvidia Tegra K1 CD580M-A1||ARM Cortex A15||2014|
|Nvidia Tegra K1 CD570M-A1||ARM Cortex A15; LPAE||2014|
This is the same research team that in the past years has experimented with different versions of the Rowhammer attack, using it to compromise PCs via Microsoft Edge, attack Linux virtual machines running on cloud servers, and root Android devices.
The Rowhammer attack consists of blasting a constant stream of data at a line of RAM memory cells, until their electrical charge is modified, resulting in alterations to nearby cells. The technique is complex, but Rowhammer attacks can be used to modify the RAM contents of remote computers.