Breaking the JavaScript ASLR

Presented at Summercon 2017, June 23, 2017, noon (50 minutes).

This talk presents an ASLR-breaking side channel that exploits a fundamental property of the CPU architecture yet is exploitable from JavaScript. This means browser exploitation from JavaScript will be easier, as memory disclosure bugs are no longer needed to exploit bugs in the browser and JavaScript runtime. We have POCs for Firefox and Chrome. This side channel has been confirmed to be present in all 22 different microarchitectures that we tried - including many current-day Intel, AMD and ARM CPU microarchitectures.

More concretely, we are able to write malicious JavaScript code that is able to compute full 64bit virtual addresses of JavaScript data and code locations, as they are being looked up by the MMU, hence breaking the JavaScript ASLR. We do not rely on any software vulnerabilities to do this.

In this talk we detail the technical workings of this technique, revisiting some CPU architecture lessons as need be. We combine these to form this side channel. Then we discuss its implementation in Javascript, show its performance in some metrics, and show a video demo.


Presenters:

  • Ben Gras
    Ben is currently a security research intern with Cisco Systems and has been part of the systems security research group at the Vrije Universiteit Amsterdam since 2015 where he is pursuing a PhD in mischief. Recently publicized attack research has included a reliable Rowhammer attack presented at Blackhat Europe in 2016. Previously, he was a scientific programmer working on the Minix operating system under Andy Tannenbaum for 10 years. @bjg

Links:

Similar Presentations: