JavaScript Attack Can Break ASLR

BleepingComputer has reported that security researchers discovered a new attack that can be carried out in nearly any browser just using JavaScript. Even with the protections & sandboxing of today’s modern browsers (like Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox) it can break the address space layout randomization (ASLR) that most of today’s central processing units (CPUs) use to prevent malicious programs from figuring out where system processes are located in memory. The attack is called an ASLR⊕Cache, or AnC attack.

A successful attack allows the attacker to read portions of memory where system information and processes are stored which can then lead to other attacks or a privilege escalation – which could give a malicious program full control of a device. The researchers tested 22 different CPU architectures and found all of them to be vulnerable and alerted that others they did not test may very well be vulnerable as well.

The attack itself is relatively easy (though the algorithms are fairly complex) – they slam the memory cells with data until nearby bits flip and with proper timing can figure out a lot about what data is being stored — a Rowhammer attack. They are able to carry out these attacks because modern browsers have become fast enough with timing ( performance.now()) and support lower-level data functions (like asm.js) that allow for faster just-in-time (JIT) and ahead-of-time access to bit-level memory. In short, browsers have become so fast and allow access to a low-enough level of memory they can now be used to break security features that have been built into the hardware for years.

The researchers also posted YouTube videos of the attack being carried out:

Leave a Reply

Your email address will not be published. Required fields are marked *