@inproceedings{00df8c0840ba4eb7a65a9256a19aff0c,
title = "Jump over ASLR: Attacking branch predictors to bypass ASLR",
abstract = "Address Space Layout Randomization (ASLR) is a widely-used technique that protects systems against a range of attacks. ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code. In this paper, we develop an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB). Our attack exploits the observation that an adversary can create BTB collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf. These collisions, in turn, can impact the timing of the attacker's code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel. We demonstrate that our attack can reliably recover kernel ASLR in about 60 milliseconds when performed on a real Haswell processor running a recent version of Linux. Finally, we describe several possible protection mechanisms, both in software and in hardware.",
keywords = "Address Space Layout Randomization, Bypass, Exploit Mitigation, Kernel Vulnerabilities, Side Channel, Timing Attacks, Timing Channel",
author = "Dmitry Evtyushkin and Dmitry Ponomarev and Nael Abu-Ghazaleh",
note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 49th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2016 ; Conference date: 15-10-2016 Through 19-10-2016",
year = "2016",
month = dec,
day = "14",
doi = "10.1109/MICRO.2016.7783743",
language = "English",
series = "Proceedings of the Annual International Symposium on Microarchitecture, MICRO",
publisher = "IEEE Computer Society",
booktitle = "MICRO 2016 - 49th Annual IEEE/ACM International Symposium on Microarchitecture",
}