JavaScript-based ASLR bypass attack simplifies browser exploits

Researchers have found a way to easily bypass ASLR protections in browsers from JavaScript

Researchers have devised a new attack that can bypass one of the main exploit mitigations in browsers: address space layout randomization (ASLR). The attack takes advantage of how modern processors cache memory and, because it doesn't rely on a software bug, fixing the problem is not easy.

Researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) unveiled the attack, dubbed AnC, Wednesday after having coordinated its disclosure with processor, browser and OS vendors since October.

ASLR is a feature present in all major operating systems. Applications, including browsers, take advantage of it to make the exploitation of memory corruption vulnerabilities like buffer overflows more difficult.

The mitigation technique involves randomly arranging the memory address space positions used by a process so that attackers don't know where to inject malicious code so that the process executes it.

There are methods to bypass ASLR, but they often involve chaining multiple vulnerabilities together, including one that allows for memory disclosure. This new attack removes the need for such additional vulnerabilities, making the exploitation of remote code execution bugs much easier.

"This new attack is indeed very interesting if as efficient and reliable as reported," said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email. "It can be chained with many code execution type vulnerabilities across different platforms and even different software that supports JavaScript, e.g. browsers. On top of that, it seems to pretty quickly allow breaking ASLR, so it is seems practical in real life and not just theoretical or academic."

What makes the attack interesting is that it does not depend on any particular software feature. It takes advantage of the way in which the memory management unit (MMU) of modern processors perform memory caching to improve performance.

It turns out that this can be used as a side channel directly from JavaScript to leak heap and code pointers that ASLR is supposed to hide.

The same researchers devised a different ASLR bypass attack last year that worked against Microsoft Edge. That attack relied on a software feature called memory deduplication that Microsoft later disabled to protect users.

That's not possible in case of AnC, because the core of the problem is at the hardware level and can't be fixed in existing CPUs. However, browser vendors can make certain tweaks that would make the implementation of the attack harder.

For example, the attack requires a precise timer in JavaScript, and browser vendors previously disabled one function that could be used for similar cache timing attacks. The VUSec researchers found two new ways to build the timers used by AnC, so browser vendors could now block these too. However, there's no guarantee that other methods won't be found in the future.

The researchers suggested several changes to CPU, OS and browser vendors that could make AnC-like attacks harder to pull off, but some of them might have performance implications that need to be further investigated. So far, the Apple Product Security Team worked with the researchers to harden WebKit against the AnC attack.

"The problem is fundamental as it is in hardware and cannot be completely eradicated with software countermeasures," said Cristiano Giuffrida, an assistant professor at VU Amsterdam and one of AnC's authors, via email. "And even hardware countermeasures are perhaps too expensive to consider to save ASLR (as hinted by some hardware vendors we talked to)."

If this is not the last nail in ASLR's coffin, it's very much the last nail in the coffin for ASLR as we know it, Giuffrida said.

AnC might have implications beyond browsers, even though browsers are the most obvious target because of the wide use of JavaScript on the Web. However, any software that allows the execution of JavaScript code is potentially vulnerable, including PDF readers.

It's not clear if this attack will lead to a resurgence of browser exploits. For the past several years, the exploit kits that are used in large-scale, drive-by download attacks have mainly focused on targeting vulnerabilities in browser plug-ins like Flash Player, Java or Silverlight instead of flaws in the browsers themselves.

Time will tell, but bypassing ASLR is just one of the exploitation puzzle, Eiram said. Browsers have other security mechanisms in place, like sandboxes, that also need to be defeated to achieve arbitrary code execution, he said.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?