JavaScript super bug: instantly crack x86/arm processor


Researchers from vusec, the system and network security team of the Free University of Amsterdam, revealed an attack technology on the 15th of this month, which can bypass the “address space configuration random load” (ASLR) protection of 22 processors and affect Intel, AMD, NVIDIA, Samsung and other processor brands.

ASLR is the default security mechanism of many operating systems. It randomly configures the code and data of applications in the virtual address space to raise the threshold of hacker attacks. It is regarded as the first line of defense to protect network users.

The limitation of ASLR is the basis for modern processors to manage memory. Vusec researchers have created a JavaScript attack program that can completely remove the security guarantee brought by ASLR to the processor.

The researchers explained that the memory management unit (MMU) in the processor uses the cache hierarchy to improve the efficiency of searching page tables, but it will also be used by other programs, such as JavaScript executed in browsers.

So they created a side channelattack program called aslrcache (ANC), which can detect the page table location when MMU performs page table search.

Security researchers have developed the native version of ANC and the JavaScript version. Through the native version, MMU signals that can be observed on 22 processors are established. Then, the JavaScript version is used to find out the code indicators and accumulation indicators on Firefox and chrome browsers, and calculate the actual address of the file. As soon as 25 seconds, ASLR protection can disappear.

At this stage, vusec has released the native version of ANC for research. However, in order to maintain the safety of network users, it does not intend to publish the JavaScript version. Even so, researchers still expect that any hacker with high ability can copy the relevant attack program within a few weeks.

Vusec warns that since the ANC attack program uses the basic properties of the processor, it is now unsolved. For users, the only way to prevent it is not to run suspicious JavaScript programs, or directly install a plug-in that can block JavaScript on the browser. In fact, ANC was released as early as last October, but at that time vusec decided to inform relevant industries, including processors, browsers and operating systems, until this week.