Abusing Performance Optimization Weaknesses to Bypass ASLR

Presented at Black Hat USA 2014, Aug. 6, 2014, 5 p.m. (60 minutes)

The primary goal of ASLR is to effectively randomize a program's memory layout so that adversaries cannot easily infer such information. As ASLR is a critical defense against exploitation, there have been tremendous efforts to evaluate the mechanism's security. To date, previous attacks that bypass ASLR have focused mostly on exploiting memory leak vulnerabilities, or abusing non-randomized data structures. In this presentation, we leverage vulnerabilities introduced by performance-oriented software design to reveal new ways in which ASLR can be bypassed. In addition to describing how vulnerabilities originate from such designs, we will present real attacks that exploit them. First, we analyze general hash table designs for various programming languages (JavaScript, Python, Ruby). To optimize object tracking for such languages, their interpreters may leak address information. Some hash table implementations directly store the address information in the table, whileothers permit inference of address information through repeated table scanning. We exhaustively examined several popular languages to see whether each of them has one or both of these problems, and present how they can be leveraged. As a concrete example, we demonstrate how address information can be leaked in the Safari web browser by simply running some JavaScript. Second, we present an analysis of the Zygote process creation model, which is an Android operating system design for speeding up application launches. The results of our examination show that Zygote weakens ASLR because all applications are created with largely identical memory layouts. To highlight the severity of this issue, we demonstrate two different ASLR bypass attacks using real applications - Google Chrome and VLC Media Player.

Presenters:

• Tielei Wang - Georgia Institute of Technology
  Tielei Wang is Research Scientist at Georgia Institute of Technology. His research interests include system security, software security, and mobile security, with an emphasis on advanced attack and defense techniques. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011.
• Yeongjin Jang - Georgia Institute of Technology
  Yeongjin is a PhD student at the Georgia Institute of Technology. His research interests are focused on operating system and mobile security. Prior to joining Georgia Tech, he participated in various capture-the-flags (CTF), including DEF CON CTF, CODEGATE, etc. He received his BS degree in Computer Science from KAIST in 2010.
• Byoungyoung Lee - Georgia Institute of Technology
  Byoungyoung Lee is a PhD student at Georgia Tech. He has interests in both practical and academic software security research. He is one of the contributors of the DarunGrim project, a popular binary diffing tool. With this project, he runs the ExploitShop blog, which uncovers many different Microsoft patched vulnerabilities. He has spoken at Black Hat and Infosec Southwest before, and he also has actively participated in wargames and advanced to DEF CON CTF finals several times. He also loves to write fuzzers targeting various software products for bug bounties.

Links:

• https://www.blackhat.com/us-14/archives.html#abusing-performance-optimization-weaknesses-to-bypass-aslr
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Abusing Performance Optimization Weaknesses to Bypass ASLR.mp4
• https://www.youtube.com/watch?v=YwVuaMeGX44

Similar Presentations:

• Black Hat Asia 2016 / Exploiting Linux and PaX ASLR's Weaknesses on 32-bit and 64-bit Systems
• ToorCon San Diego 16 (2014) / EMET 5.0 - armor or curtain?
• DeepSec 2014 „Do you want to know more?“ / On the Effectiveness of Full-ASLR on 64-bit Linux