Back To Schedule
Friday, May 5 • 10:00am - 11:00am
MMU Magic in JavaScript: breaking ASLR from a sandbox

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
This talk presents an ASLR-breaking side channel that exploits a fundamental property of the CPU architecture yet is exploitable from JavaScript. This means browser exploitation from JavaScript will be easier, because memory disclosure bugs are no longer needed to exploit bugs in the browser and JavaScript runtime to leak ASLR information. We have POCs for Firefox and Chrome. This side channel has been confirmed to be present in all 22 different microarchitectures that we tried - including many current-day Intel, AMD and ARM CPU microarchitectures.

More concretely, we are able to write malicious JavaScript code that is able to compute full 64bit virtual addresses of JavaScript data and code locations, as they are being looked up by the MMU, hence breaking the JavaScript ASLR.

We do not rely on any software vulnerabilities to do this. Rather, we exploit the fact that page table cachelines are stored in the CPU cache when used for a lookup. An EVICT+TIME cache attack profiles the cachelines necessary to lookup an address, letting us compute the target lookup address.

Having these addresses makes bugs in the browser and JavaScript runtime easier to exploit. We now know code and data locations that the JavaScript code has filled with whatever code and data the exploit might want to leverage. An exploit can then use this prepared code and data at computed locations at exploitation time - memory disclosure bugs to obtain these addresses are no longer needed.

In this talk we detail the technical workings of this technique, revisiting some CPU architecture lessons as need be. We combine these to form this side channel. Then we discuss its implementation in Javascript, show its performance in some metrics, and show a video demo.

avatar for Ben Gras

Ben Gras

Research Intern, Cisco systems
Ben was in the systems security research group of prof. Herbert Bos of the VU University in Amsterdam for 2 years, working on software reliability, defensive research projects, and most recently, offensive research, most noticeably publishing on making cross-VM Rowhammer exploitation... Read More →

Friday May 5, 2017 10:00am - 11:00am EDT
Scruffy City Hall 32 Market Square, Knoxville, TN 37902