CPU

Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 processor micro-architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others.

The attack, christened ASLR⊕Cache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU micro-architectures, which is tasked with improving performance for cache management operations.

AnC attack targets CPU cache management component

What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content.

"We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU," researchers said.

"For example, on the x86_64 architecture, our attack can find the offsets that are accessed by the MMU for each of the four-page table pages. The offset within each page breaks nine bits of entropy so even a perfect ASLR implementation with 36 bits of entropy is not safe."

In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS.

ASLR is a memory protection mechanism deployed with all major operating systems, which randomizes the location where code is executed in the memory. By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the PC's memory.

AnC attacks work via Chrome and Firefox on 22 CPU micro-architectures

Researchers said they successfully tested AnC JavaScript attacks via Chrome and Firefox on 22 different CPU micro-architectures, even despite several protections built within those browsers, such as broken JavaScript timers.

Even worse, researchers say AnC attacks can be used to revive previously blocked cache attacks, opening the door for many-years-old bugs, which vendors thought to have mitigated.

According to researchers, the only way users can protect themselves against AnC attacks is to deploy an extension like NoScript, which stops untrusted JavaScript code from running in the browser.

Issues with AnC attacks are tracked via several CVE identifiers.

  • CVE-2017-5925 is assigned to track the developments for Intel processors
  • CVE-2017-5926 is assigned to track the developments for AMD processors
  • CVE-2017-5927 is assigned to track the developments for ARM processors
  • CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

Below are the 22 CPU models and micro-architectures that researchers tested and found vulnerable to AnC attacks. More micro-architectures could be vulnerable as well, as not all were tested.

CPU Model Microarchitecture Year
Intel Xeon E3-1240 v5 Skylake 2015
Intel Core i7-6700K Skylake 2015
Intel Celeron N2840 Silvermont 2014
Intel Xeon E5-2658 v2 Ivy Bridge EP 2013
Intel Atom C2750 Silvermont 2013
Intel Core i7-4500U Haswell 2013
Intel Core i7-3632QM Ivy Bridge 2012
Intel Core i7-2620QM Sandy Bridge 2011
Intel Core i5 M480 Westmere 2010
Intel Core i7 920 Nehalem 2008
AMD FX-8350 8-Core Piledriver 2012
AMD FX-8320 8-Core Piledriver 2012
AMD FX-8120 8-Core Bulldozer 2011
AMD Athlon II 640 X4 K10 2010
AMD E-350 Bobcat 2010
AMD Phenom 9550 4-Core K10 2008
Allwinner A64 ARM Cortex A53 2016
Samsung Exynos 5800 ARM Cortex A15 2014
Samsung Exynos 5800 ARM Cortex A7 2014
Nvidia Tegra K1 CD580M-A1 ARM Cortex A15 2014
Nvidia Tegra K1 CD570M-A1 ARM Cortex A15; LPAE  2014

Research team includes experts in RAM attacks

This is the same research team that in the past years has experimented with different versions of the Rowhammer attack, using it to compromise PCs via Microsoft Edge, attack Linux virtual machines running on cloud servers, and root Android devices.

The Rowhammer attack consists of blasting a constant stream of data at a line of RAM memory cells, until their electrical charge is modified, resulting in alterations to nearby cells. The technique is complex, but Rowhammer attacks can be used to modify the RAM contents of remote computers.

Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos showing the attack in action.