MMU Cache Side Channel Attack: Breaking ASLR from a Javascript Sandbox

Speaker: Ben Gras

Abstract

We present a novel MMU cache side-channel attack that can recover virtual addresses by tracing MMU cache footprints.

We use a micro-architectural property of the CPU to do this, no software bugs. The practical application is that we can compute Javascript sandboxed objects' and code virtual addresses using just untrusted Javascript code, making Javascript runtime exploitation significantly easier. This signal is visible on Intel, AMD and ARM CPUs.

This talk combines some interesting low-level details of how CPUs work with the highest layer in the software stack, i.e. a Javascript sandbox.

Biography

Ben Gras has been in the systems security research group of Prof. Herbert Bos of the VU University since 2015. He has worked on software reliability, defensive research projects, and most recently, offensive research. Offensive research was most noticeably making cross-VM Rowhammer exploitation reliable and a cache-based MMU side-channel attack.

In feb-july of 2017 he did a research internship with Cisco in the security research group in Knoxville, TN. He is presently pursuing a PhD in mischief.

Twitter: @bjg