MMU Magic in JavaScript: Breaking ASLR from a Sandbox presented at Powerofcommunity 2017

by Ben Gras,

Summary : This talk presents a novel cache side-channel attack on the memory management unit (MMU) of contemporary processors. This attack, which we call ASLR^Cache or AnC for short, allows us to break 64-bit ASLR in the browser from JavaScript. With AnC in place, attackers no longer need to leak pointers before engaging in for example control-flow diversion attacks. Unlike existing side-channel attacks on ASLR, AnC is not easy to mitigate due to its hardware-only nature.
AnC relies on the fact that during address translation, MMU's page table walk end up in the processor's data caches. This research is the first publication to find and confirm this fact. This allows a cache attack compromising ASLR.
We show how we can perform AnC even from Javascript, which made it necessary to find a accurate memory access timing mechanism, previously unavailable. We found 2 and have working POCs for Firefox and Chrome. New for POC, we also develop a measurement noise reducing technique.