October 20, 2016 By Larry Loeb 2 min read

Address space layout randomization (ASLR) is a widely-used method that prevents memory corruption attacks by arranging the address space positions of key data areas in a random manner. This technique can be found in the security designs of many applications and well-known operating systems.

But according to new research, it seems there is a new ASLR bypass out there.

A Map to an Unknown Destination

Attackers have bypassed ASLR in the past, but research teams from the State University of New York at Binghamton and the University of California, Riverside teamed up to devise a new ASLR bypass method based on what’s going on in the hardware of the central processing unit (CPU) that runs the code.

In their paper, “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR,” the researchers described their novel side-channel attack, which focuses on the branch target buffer (BTB) of the CPU. The BTB helps to predict where the next branch of code will be executed, which speeds up a CPU’s throughput.

The paper explained how an attacker could create BTB collisions between two user-level processes (or between a kernel and a user process) in a “controlled and robust manner.” The researchers found that “identifying the BTB collisions allows the attacker to determine the exact locations of known branch instructions in the code segment of the kernel or of the victim process, thus disclosing the ASLR offset.”

The whole point is to learn the offset length generated by the ASLR. It’s like having a map to an unknown destination that points out the way.

According to SecurityWeek, the researchers tested the attack on a Haswell CPU running a current version of Linux. They seemed confident that the attack would also work for Windows and Android. Not only that, but they felt it would work on a Kernel-based virtual machine (KVM), which would open up a new attack vector targeting virtualized computers.

Blocking ASLR Bypass

Some software changes might help here. One option is to switch to a finer-grain ASLR that changes on functions rather than only once during startup. This would at least make the attack harder to perform.

Primary mitigation, however, requires hardware changes. It may be necessary, for example, to change the affected addressing mechanism to prevent these collisions in a BTB. It can also be helpful to use separate indexing functions for user or kernel-level code. Whether the hardware manufacturers think this is serious enough to retool a CPU’s hardware remains to be seen.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today