BREAKING THE JAVASCRIPT ASLR presented at Summercon 2017

by Ben Gras,

Summary : This talk presents an ASLR-breaking side channel that exploits a fundamental property of the CPU architecture yet is exploitable from JavaScript. This means browser exploitation from JavaScript will be easier, as memory disclosure bugs are no longer needed to exploit bugs in the browser and JavaScript runtime. We have POCs for Firefox and Chrome. This side channel has been confirmed to be present in all 22 different microarchitectures that we tried - including many current-day Intel, AMD and ARM CPU microarchitectures.
More concretely, we are able to write malicious JavaScript code that is able to compute full 64bit virtual addresses of JavaScript data and code locations, as they are being looked up by the MMU, hence breaking the JavaScript ASLR. We do not rely on any software vulnerabilities to do this.
In this talk we detail the technical workings of this technique, revisiting some CPU architecture lessons as need be. We combine these to form this side channel. Then we discuss its implementation in Javascript, show its performance in some metrics, and show a video demo.