Finding weaknesses in common computer chips

Image Credit: Binghamton University.
Photography: Binghamton University.

According to a team of present and past Watson School researchers, there is a weakness in common Haswell central processing unit (CPU) components.

Computer hackers can take control of computers if a weak point in “address space layout randomization” (ASLR) software is exploited through a glitch with a CPU’s branch predictor, a piece of hardware designed to improve program performance.

However, Computer Science Professor Dmitry Ponomarev, PhD candidate Dmitry Evtyushkin and former Binghamton Computer Science Professor Nael Abu-Ghazaleh suggested several methods to mitigate the attacks in “Jump Over ASLR: Attacking the Branch Predictor to Bypass ASLR.” Companies have already started to work on solutions.

“In the current state of security, attackers have an arsenal of tricks, and systems deploy comprehensive protections. ASLR is only a piece of this puzzle, and if the system does not have other vulnerabilities, it is very difficult to attack even if ASLR is broken,” Ponomarev says. “Previous research demonstrated several ways to bypass ASLR, but our attack is just more efficient and direct. It does not change the fundamental state of the security arms race. Individual users should not worry about this attack. Just make sure that operating systems are always updated to ensure that other exploitable vulnerabilities are not present.”

Researchers demonstrated the weakness in commonly-used Linux operating systems using Intel processors. The team thinks the flaw could also apply to other operating systems such as Windows and Android. According to the work, attacks may also work on virtualization systems such as Kernel-based Virtual Machines (KVM), which are used in cloud-computing systems.

The results were presented at the 49th Annual IEEE/ACM International Symposium on Microarchitecture (Micro-49) in October in Taipei, Taiwan.

“We’ve been investigating side channels and covert channels through various processor resources and realized that a side-channel attack on BTB (branch target buffer) can deduce information on where individual instructions are located in the address space, and that in turn can lead to ASLR recovery,” Ponomarev says about the technical aspects of the work. “Our paper describes two attacks — one against kernel-level ASLR (KASLR) and one against user-level ASLR. For the kernel attack, we can quickly and reliably bypass randomization, while for the user attack we demonstrated reduced effectiveness of ASLR — further research is still needed to exactly understand to what extent.”

ASLR software automatically randomizes information in a computer’s memory, which protects a machine during crashes and defends against a wide range of malware. The team identified a way to disable and bypass ASLR by attacking the branch-predictor hardware through “buffer overflow” or “return-oriented programming” attacks.

With the ASLR down, a hacker can use administrator or root-level commands to steal data or hijack machines.

“While most cybersecurity research considers software vulnerabilities and defenses, our research focuses on the underlying hardware and computer architecture, which also play important roles, both in terms of introducing new vulnerabilities as well as supporting more secure software,” says Abu-Ghazaleh, who is now at the University of California, Riverside.

The work was funded by the National Science Foundation.