ASLR on the Line: Practical Cache Attacks on the MMU
Author(s): Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Box, Cristiano Giuffrida
Download: Paper (PDF)
Date: 27 Feb 2017
Document Type: Reports
Additional Documents: Video
Associated Event: NDSS Symposium 2017
Address space layout randomization (ASLR) is an important first line of defense against memory corruption attacks and a building block for many modern countermeasures. Existing attacks against ASLR rely on software vulnerabilities and/or on repeated (and detectable) memory probing.
In this paper, we show that neither is a hard requirement and that ASLR is fundamentally insecure on modern cachebased architectures, making ASLR and caching conflicting requirements (ASLR Cache, or simply AnC). To support this claim, we describe a new EVICT+TIME cache attack on the virtual address translation performed by the memory management unit (MMU) of modern processors. Our AnC attack relies on the property that the MMU s page-table walks result in caching page-table pages in the shared last-level cache (LLC). As a result, an attacker can derandomize virtual addresses of a victim s code and data by locating the cache lines that store the page-table entries used for address translation.