Exec ASLR: Abusing intel branch predictors to bypass ASLR

José Luiz Oliveira

Abstract :

Address Layout Randomization (ASLR) is used to mitigate memory corruption attacks by randomizing virtual addresses of a process. Also, using speculative execution, modern CPUs rely on branch predictors to choose the next instruction to be fetched in the CPU pipeline.

In this talk we present a new spectre v2 based technique for abusing branch predictors in order to bypass ASLR on Intel CPUs. Our attack abuses the fact that not only the attacker can pollute the branch target buffer such as in a spectre-like scenario, but victims can also trigger a branch misprediction in the attacker process, leading the attacker to speculatively jump to the same protected address. Using a second cache side channel the attacker can then retrieve the address, completely bypassing the ASLR for the target process. On a real intel processor hosted on google cloud, we were able to successfully recover the victim’s address in a fast and (somewhat) reliable 0day attack.

With some demos, we will explore some x86 internal related topics such as side channel attacks, speculative and out of order execution, as well as the research work done.

Speaker:  José Luiz Oliveira

Cybersecurity analyst at PRIDE Security, former CTF player from Epic Leet Team, electronic engineering undergraduate and a terrible game developer in free time. I love reverse engineering and pwning, and ‘ve been studyng on x86 internals recently.