Jump over ASLR: Attacking branch predictors to bypass ASLR

@article{Evtyushkin2016JumpOA,
  title={Jump over ASLR: Attacking branch predictors to bypass ASLR},
  author={Dmitry Evtyushkin and D. Ponomarev and N. Abu-Ghazaleh},
  journal={2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)},
  year={2016},
  pages={1-13}
}
Address Space Layout Randomization (ASLR) is a widely-used technique that protects systems against a range of attacks. ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code. In this paper, we develop an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB). Our attack… Expand
159 Citations

Paper Mentions

Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
  • 134
  • PDF
ret2spec: Speculative Execution Using Return Stack Buffers
  • 92
  • PDF
Smokestack: Thwarting DOP Attacks with Runtime Stack Layout Randomization
  • M. T. Aga, T. Austin
  • Computer Science
  • 2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)
  • 2019
  • 5
ExSpectre: Hiding Malware in Speculative Execution
  • 11
  • PDF
Speculative Probing: Hacking Blind in the Spectre Era
  • 1
  • PDF
Spectre Attacks: Exploiting Speculative Execution
  • 911
  • Highly Influenced
  • PDF
Thwarting Control Plane Attacks with Displaced and Dilated Address Spaces
RASSLE: Return Address Stack based Side-channel LEakage
  • PDF
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 73 REFERENCES
Practical Timing Side Channel Attacks against Kernel Space ASLR
  • 271
  • Highly Influential
  • PDF
Surgically Returning to Randomized lib(c)
  • 119
  • PDF
Improving address space randomization with a dynamic offset randomization technique
  • 18
  • PDF
On the effectiveness of address-space randomization
  • 871
  • PDF
On the Effectiveness of Full-ASLR on 64-bit Linux
  • 17
  • PDF
SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks
  • 127
  • PDF
Predicting Secret Keys Via Branch Prediction
  • 272
  • PDF
ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks
  • 98
  • PDF
TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks
  • 145
  • PDF
Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads
  • 78
  • PDF
...
1
2
3
4
5
...