{"guid":"86c60da2-fefc-4750-ad22-fa821ce619b1","title":"ASLR on the line","subtitle":"Practical cache attacks on the MMU","slug":"34c3-9135-aslr_on_the_line","link":"https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9135.html","description":"Address Space Layout Randomization (ASLR) is fundamentally broken on modern hardware due to a side-channel attack on the Memory management unit, allowing memory addresses to be leaked from JavaScript.  This talk will show how.\n\nAddress space layout randomization (ASLR) has often been sold as an\nimportant first line of defense against memory corruption attacks\nand a building block for many modern countermeasures. Existing\nattacks against ASLR rely on software vulnerabilities and/or on\nrepeated (and detectable) memory probing.\n\nIn this talk, we show that neither is a hard requirement\nand that ASLR is fundamentally insecure on modern cache-\nbased architectures, making ASLR and caching conflicting\nrequirements (ASLR xor Cache, or simply AnC). To support\nthis claim, we describe a new EVICT+TIME cache attack\non the virtual address translation performed by the memory\nmanagement unit (MMU) of modern processors. Our AnC attack\nrelies on the property that the MMU's page-table walks result\nin caching page-table pages in the shared last-level cache (LLC).\n\nAs a result, an attacker can derandomize virtual addresses of a\nvictim's code and data by locating the cache lines that store the\npage-table entries used for address translation.\nRelying only on basic memory accesses allows AnC to be\nimplemented in JavaScript without any specific instructions or\nsoftware features. We show our JavaScript implementation can\nbreak code and heap ASLR in two major browsers running on\nthe latest Linux operating system with 28 bits of entropy in 150\nseconds. We further verify that the AnC attack is applicable to\nevery modern architecture that we tried, including Intel, ARM\nand AMD. Mitigating this attack without naively disabling caches\nis hard, since it targets the low-level operations of the MMU.\nWe conclude that ASLR is fundamentally flawed in sandboxed\nenvironments such as JavaScript and future defenses should not\nrely on randomized virtual addresses as a building block.\n","original_language":"eng","persons":["brainsmoke"],"tags":["34c3","9135","Security"],"view_count":2289,"promoted":false,"date":"2017-12-28T00:00:00.000+01:00","release_date":"2017-12-29T01:00:00.000+01:00","updated_at":"2026-03-20T11:30:05.214+01:00","length":2653,"duration":2653,"thumb_url":"https://static.media.ccc.de/media/congress/2017/9135-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2017/9135-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2017/86c60da2-fefc-4750-ad22-fa821ce619b1-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2017/86c60da2-fefc-4750-ad22-fa821ce619b1-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/34c3-9135-aslr_on_the_line","url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_title":"34C3: TUWAT","conference_url":"https://api.media.ccc.de/public/conferences/34c3","related":[{"event_id":4763,"event_guid":"2ef3b60f-6e5c-4c23-a145-d263685ec13e","weight":52},{"event_id":4766,"event_guid":"19b7e5d7-bba7-46da-afbc-f16d43fe395f","weight":41},{"event_id":4784,"event_guid":"65a25dfd-56dd-4e87-a910-334e2dc25a9c","weight":47},{"event_id":4795,"event_guid":"722ce759-9cde-4e3b-8db5-5a97aa9673d9","weight":33},{"event_id":4796,"event_guid":"ff24373e-ebe2-4077-9db0-eae5ab003538","weight":44},{"event_id":4817,"event_guid":"be19fbe3-e825-4e67-93f9-a6aeda2e31af","weight":38},{"event_id":4826,"event_guid":"16645200-2036-4a3c-a44d-a5ff44ac2991","weight":63},{"event_id":4830,"event_guid":"5cf8c222-47d3-4741-9324-be182b4d0fb8","weight":54},{"event_id":4832,"event_guid":"275f85de-d612-4440-8755-85dee5912f12","weight":44},{"event_id":4833,"event_guid":"e1a60f7b-6a56-4dce-ab3a-c686fa940aa8","weight":85},{"event_id":4842,"event_guid":"581ccbad-4bbf-47a2-8845-f52278d61061","weight":82},{"event_id":4844,"event_guid":"5c5e888e-4556-405b-a205-e59b97db99e1","weight":48},{"event_id":4845,"event_guid":"c21cb389-aba3-4eaa-ba1f-76f966b1686e","weight":36},{"event_id":4846,"event_guid":"832b8fb8-beb1-4d92-93d0-ba3b7568905a","weight":21},{"event_id":4847,"event_guid":"6d9ee2da-4907-415f-84b4-61ecfa783895","weight":10},{"event_id":4850,"event_guid":"949bee69-3be0-4cc8-915b-5f1167141dcc","weight":42},{"event_id":4856,"event_guid":"c5bfac96-8290-438a-a47a-ebdbf0ab5365","weight":38},{"event_id":4866,"event_guid":"117a52b4-f675-49dd-aafe-659c07b6bc9c","weight":65},{"event_id":4885,"event_guid":"956cf3ed-c342-4c1d-b636-29ec3d4578d2","weight":40},{"event_id":4909,"event_guid":"03ba9edb-1d3a-4774-9384-7548c0696df7","weight":44}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_34c3-9135-eng-deu-ASLR_on_the_line.en_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-15T16:12:25.984+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/DRAFT_34c3-9135-eng-deu-ASLR_on_the_line.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/57286","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":150,"length":2653,"mime_type":"video/mp4","language":"eng","filename":"34c3-9135-eng-ASLR_on_the_line.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-29T01:38:52.813+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-hd/34c3-9135-eng-ASLR_on_the_line.mp4","url":"https://api.media.ccc.de/public/recordings/21380","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":151,"length":2653,"mime_type":"video/mp4","language":"deu","filename":"34c3-9135-deu-ASLR_on_the_line.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-29T01:39:00.214+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-hd/34c3-9135-deu-ASLR_on_the_line.mp4","url":"https://api.media.ccc.de/public/recordings/21381","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":239,"length":2653,"mime_type":"video/mp4","language":"eng-deu","filename":"34c3-9135-eng-deu-ASLR_on_the_line_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-29T01:39:07.795+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-hd/34c3-9135-eng-deu-ASLR_on_the_line_hd.mp4","url":"https://api.media.ccc.de/public/recordings/21382","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":132,"length":2653,"mime_type":"video/mp4","language":"eng-deu","filename":"34c3-9135-eng-deu-ASLR_on_the_line_hd-slides.mp4","state":"new","folder":"slides-h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-29T01:47:22.139+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/slides-h264-hd/34c3-9135-eng-deu-ASLR_on_the_line_hd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/21395","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":40,"length":2638,"mime_type":"audio/mpeg","language":"eng","filename":"34c3-9135-eng-ASLR_on_the_line.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2017-12-29T10:55:09.030+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/mp3/34c3-9135-eng-ASLR_on_the_line.mp3","url":"https://api.media.ccc.de/public/recordings/21429","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":123,"length":2653,"mime_type":"video/mp4","language":"eng-deu","filename":"34c3-9135-eng-deu-ASLR_on_the_line_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2017-12-29T10:57:39.104+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/h264-sd/34c3-9135-eng-deu-ASLR_on_the_line_sd.mp4","url":"https://api.media.ccc.de/public/recordings/21433","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":29,"length":2638,"mime_type":"audio/opus","language":"eng","filename":"34c3-9135-eng-ASLR_on_the_line.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2017-12-29T10:58:06.952+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/opus/34c3-9135-eng-ASLR_on_the_line.opus","url":"https://api.media.ccc.de/public/recordings/21434","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":195,"length":2653,"mime_type":"video/webm","language":"eng-deu","filename":"34c3-9135-eng-deu-ASLR_on_the_line_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2017-12-29T11:07:40.933+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/webm-sd/34c3-9135-eng-deu-ASLR_on_the_line_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/21450","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":344,"length":2653,"mime_type":"video/webm","language":"eng-deu","filename":"34c3-9135-eng-deu-ASLR_on_the_line_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2017-12-29T11:19:19.252+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/webm-hd/34c3-9135-eng-deu-ASLR_on_the_line_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/21468","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":52,"length":2653,"mime_type":"video/mp4","language":"eng","filename":"34c3-9135-eng-ASLR_on_the_line_sd-slides.mp4","state":"new","folder":"slides-h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-01-02T15:52:58.825+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/slides-h264-sd/34c3-9135-eng-ASLR_on_the_line_sd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/22322","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"},{"size":2,"length":null,"mime_type":"application/pdf","language":"eng","filename":"34c3-9135-aslr_on_the_line.pdf","state":"new","folder":"slides-pdf","high_quality":true,"width":null,"height":null,"updated_at":"2018-01-08T19:00:33.232+01:00","recording_url":"https://cdn.media.ccc.de/congress/2017/slides-pdf/34c3-9135-aslr_on_the_line.pdf","url":"https://api.media.ccc.de/public/recordings/22463","event_url":"https://api.media.ccc.de/public/events/86c60da2-fefc-4750-ad22-fa821ce619b1","conference_url":"https://api.media.ccc.de/public/conferences/34c3"}]}