Side-channel attacks are always interesting and fun. Indeed, the authors have stumbled into areas that need more research. Their research can be applicable in certain circumstances.
As a side-note, KASLR in general is rather weak and can be considered a waste of time[2]. The discussion why is outside the scope of this article. No Independent Analysis The authors of the paper have not shared their code or provided any method for independent analysis. Code on GitHub[3] now exists for breaking linux KASLR. But as mentioned above, KASLR is worthless.With regards to breaking ASLR, we will see that in order to fully analyze their findings, we will need full steps for reproduction. Since the authors provided no such thing, independent analysis is not possible.
The Local Attack RequirementThe BTB whitepaper makes an assumption that is becoming all too common in recent anti-ASLR whitepapers: the local attack vector.
The primary assumption made by the whitepaper is that the attacker can already run arbitrary code on the system. This would mean that the attack against ASLR is local. Exploit mitigation technologies like ASLR are not meant to protect against local attacks, but rather remote attacks. Indeed, if an attacker can run arbitrary code, the game is already over.
The concept ASLR was designed solely to help protect against remote attacks. If an attacker is able to gain entry to a system remotely, it should be in a way such that ASLR isn't applicable. Take a phishing attack, for example. The attacker crafts a malicious Word document that contains a macro to spawn a shell. If the attacker can successfully convince the user to open the document with macros enabled, ASLR isn't applicable.
One could argue that ASLR should help protect against privilege escalation (privesc) attacks locally. ASLR might indeed help, but once an attacker has gained access to the system, so many other vectors for privesc have opened up. Traditional system hardening would apply best in mitigating local attacks, not ASLR. Normal system hardening could include implementing MAC/DAC, disabling unprivileged debugging, setting securelevel, etc.
Another assumption made by the whitepaper is that the attacker does not use any information leaks directly provided by the victim process. The only information the attacker gains about the victim process is through the BTB side-channel attack.
Victim Process and Spy ProcessThe paper describes a scenario where there are two processes involved: a victim process and a spy process. The victim process is the process the attacker is truly interested in. The attacker crafts a special spy binary that when loaded, certain code branches align with that of the victim process (meaning, they share the exact same virtual address).
Crafting this spy application would require intimate knowledge of the victim process, including its memory layout during runtime. If the attacker needs to use side-channel attacks to determine ASLR deltas, how would the attacker be able to craft such a special binary in advance?
Non-ASLR ASLREarly on, the whitepaper describes an ASLR system that isn't applicable to its target operating environment (Linux):
some ASLR implementations randomize positions of libraries only one time during the system boot. Consequently, all processes executed on a machine receive the same mappings of the libraries.
Linux does not implement ASLR as described above. Every new execution environment will have separate deltas applied. Thus, libc loaded in one application will have a different base address than libc loaded in another application (or even a separate instance of the same application).
Later on, the paper describes why their attack on ASLR is successful:
Our expectation is that the two branch instructions will map to the same BTB entry if they are located at the same virtual address .
(Emphasis theirs, not mine).
In order for two distinct processes to match up completely with regards to virtual address space, ASLR would need to be completely disabled.
So, in order to defeat ASLR, this whitepaper assumes ASLR must be disabled.See the appendixes A and B to see how distinct instances of the z shell (zsh) with ASLR fully applied do not get the same deltas applied to the virtual address space. The only way for the virtual addresses to be the same is to disable ASLR.
ConclusionThough the attack might have some merits with regards to KASLR, the attack on ASLR is completely debunked. The authors of the paper didn't release any supporting code or steps for independent analysis and verification. The results, therefore, cannot be trusted until the authors fully open source their work and the work is validated by trusted and independent third parties.
References https://github.com/lattera/articles/blob/master/infosec/Exploit%20Mitigations/ASLR/2016-10-19_btb/references/micro16.pdf https://forums.grsecurity.net/viewtopic.php?f=7&t=3367 https://github.com/felixwilhelm/mario_baslr/ Appendix A: /usr/local/bin/zsh on HardenedBSD, run 1 PID START END PRT RES PRES REF SHD FLAG TP PATH 13309 0x17658f41000 0x17658ff9000 r-x 172 180 24 16 CN-- vn /usr/local/bin/zsh 13309 0x176591f8000 0x176591fb000 r-- 3 0 1 0 CN-- vn /usr/local/bin/zsh 13309 0x176591fb000 0x17659200000 rw- 5 0 1 0 C--- vn /usr/local/bin/zsh 13309 0x17659200000 0x17659206000 rw- 6 6 1 0 C--- df 13309 0x27144501000 0x27144520000 r-x 31 33 115 53 CN-- vn /libexec/ld-elf.so.1 13309 0x27144520000 0x27144550000 rw- 40 40 1 0 C--- df 13309 0x27144562000 0x27144578000 r-- 2 2 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Misc.zwc 13309 0x27144578000 0x2714458f000 r-- 7 7 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Completion.zwc 13309 0x2714459c000 0x271445bd000 r-- 22 22 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Completion/Base.zwc 13309 0x271445bd000 0x271445d3000 r-- 3 3 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Zle.zwc 13309 0x27144720000 0x27144721000 rw- 1 0 1 0 CN-- vn /libexec/ld-elf.so.1 13309 0x27144721000 0x27144723000 rw- 2 2 1 0 C--- df 13309 0x27144723000 0x2714477a000 r-x 57 62 24 16 CN-- vn /lib/libncursesw.so.8 13309 0x2714477a000 0x2714497a000 --- 0 0 1 0 CN-- df 13309 0x2714497a000 0x2714497e000 r-- 4 0 1 0 CN-- vn /lib/libncursesw.so.8 13309 0x2714497e000 0x2714497f000 rw- 1 0 1 0 C--- vn /lib/libncursesw.so.8 13309 0x2714497f000 0x27144980000 rw- 1 1 1 0 CN-- df 13309 0x27144980000 0x271449aa000 r-x 42 43 51 33 CN-- vn /lib/libm.so.5 13309 0x271449aa000 0x27144ba9000 --- 0 0 1 0 CN-- df 13309 0x27144ba9000 0x27144baa000 r-- 1 0 1 0 CN-- vn /lib/libm.so.5 13309 0x27144baa000 0x27144bab000 rw- 1 0 1 0 CN-- vn /lib/libm.so.5 13309 0x27144bab000 0x27144d40000 r-x 405 417 148 86 CN-- vn /lib/libc.so.7 13309 0x27144d40000 0x27144f40000 --- 0 0 1 0 CN-- df 13309 0x27144f40000 0x27144f48000 r-- 8 0 1 0 CN-- vn /lib/libc.so.7 13309 0x27144f48000 0x27144f4c000 rw- 4 0 1 0 C--- vn /lib/libc.so.7 13309 0x27144f4c000 0x27144f66000 rw- 14 14 1 0 C--- df 13309 0x27145000000 0x27145400000 rw- 520 520 1 0 C--- df 13309 0x27145400000 0x2714544a000 r-x 58 67 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/zle.so 13309 0x2714544a000 0x2714564a000 --- 0 0 1 0 CN-- df 13309 0x2714564a000 0x2714564c000 r-- 2 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/zle.so 13309 0x2714564c000 0x27145653000 rw- 7 0 1 0 C--- vn /usr/local/lib/zsh/5.2/zsh/zle.so 13309 0x27145653000 0x27145676000 r-x 34 36 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/complete.so 13309 0x27145676000 0x27145875000 --- 0 0 1 0 CN-- df 13309 0x27145875000 0x27145877000 r-- 2 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/complete.so 13309 0x27145877000 0x27145878000 rw- 1 0 1 0 C--- vn /usr/local/lib/zsh/5.2/zsh/complete.so 13309 0x27145878000 0x27145887000 r-x 12 14 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/complist.so 13309 0x27145887000 0x27145a87000 --- 0 0 1 0 CN-- df 13309 0x27145a87000 0x27145a88000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/complist.so 13309 0x27145a88000 0x27145a89000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/complist.so 13309 0x27145a89000 0x27145a90000 r-x 7 8 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/zutil.so 13309 0x27145a90000 0x27145c8f000 --- 0 0 1 0 CN-- df 13309 0x27145c8f000 0x27145c90000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/zutil.so 13309 0x27145c90000 0x27145c91000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/zutil.so 13309 0x27145c91000 0x27145c93000 r-x 2 3 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/langinfo.so 13309 0x27145c93000 0x27145e92000 --- 0 0 1 0 CN-- df 13309 0x27145e92000 0x27145e93000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/langinfo.so 13309 0x27145e93000 0x27145e94000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/langinfo.so 13309 0x27145e94000 0x27145e96000 r-x 2 3 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/terminfo.so 13309 0x27145e96000 0x27146095000 --- 0 0 1 0 CN-- df 13309 0x27146095000 0x27146096000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/terminfo.so 13309 0x27146096000 0x27146097000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/terminfo.so 13309 0x27146097000 0x271460a0000 r-x 8 10 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/parameter.so 13309 0x271460a0000 0x271462a0000 --- 0 0 1 0 CN-- df 13309 0x271462a0000 0x271462a1000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/parameter.so 13309 0x271462a1000 0x271462a2000 rw- 1 0 1 0 C--- vn /usr/local/lib/zsh/5.2/zsh/parameter.so 13309 0x27146400000 0x27146600000 rw- 210 210 1 0 C--- df 13309 0x725e8f455000 0x725e8f475000 rw- 32 32 1 0 C--D df 13309 0x7f338771c000 0x7f338771d000 r-x 1 1 108 0 ---- ph Appendix B: /usr/local/bin/zsh on HardenedBSD, run 2PID START END PRT RES PRES REF SHD FLAG TP PATH 38232 0x3aa18e96000 0x3aa18f4e000 r-x 172 180 24 16 CN-- vn /usr/local/bin/zsh 38232 0x3aa1914d000 0x3aa19150000 r-- 3 0 1 0 CN-- vn /usr/local/bin/zsh 38232 0x3aa19150000 0x3aa19155000 rw- 5 0 1 0 C--- vn /usr/local/bin/zsh 38232 0x3aa19155000 0x3aa1915b000 rw- 6 6 1 0 C--- df 38232 0x41f9298c000 0x41f929ab000 r-x 31 33 115 53 CN-- vn /libexec/ld-elf.so.1 38232 0x41f929ab000 0x41f929db000 rw- 40 40 1 0 C--- df 38232 0x41f929ed000 0x41f92a03000 r-- 2 2 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Misc.zwc 38232 0x41f92a03000 0x41f92a1a000 r-- 7 7 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Completion.zwc 38232 0x41f92a27000 0x41f92a48000 r-- 22 22 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Completion/Base.zwc 38232 0x41f92a48000 0x41f92a5e000 r-- 3 3 8 0 ---- vn /usr/local/share/zsh/5.2/functions/Zle.zwc 38232 0x41f92bab000 0x41f92bac000 rw- 1 0 1 0 CN-- vn /libexec/ld-elf.so.1 38232 0x41f92bac000 0x41f92bae000 rw- 2 2 1 0 C--- df 38232 0x41f92bae000 0x41f92c05000 r-x 57 62 24 16 CN-- vn /lib/libncursesw.so.8 38232 0x41f92c05000 0x41f92e05000 --- 0 0 1 0 CN-- df 38232 0x41f92e05000 0x41f92e09000 r-- 4 0 1 0 CN-- vn /lib/libncursesw.so.8 38232 0x41f92e09000 0x41f92e0a000 rw- 1 0 1 0 C--- vn /lib/libncursesw.so.8 38232 0x41f92e0a000 0x41f92e0b000 rw- 1 1 1 0 CN-- df 38232 0x41f92e0b000 0x41f92e35000 r-x 42 43 51 33 CN-- vn /lib/libm.so.5 38232 0x41f92e35000 0x41f93034000 --- 0 0 1 0 CN-- df 38232 0x41f93034000 0x41f93035000 r-- 1 0 1 0 CN-- vn /lib/libm.so.5 38232 0x41f93035000 0x41f93036000 rw- 1 0 1 0 CN-- vn /lib/libm.so.5 38232 0x41f93036000 0x41f931cb000 r-x 405 417 148 86 CN-- vn /lib/libc.so.7 38232 0x41f931cb000 0x41f933cb000 --- 0 0 1 0 CN-- df 38232 0x41f933cb000 0x41f933d3000 r-- 8 0 1 0 CN-- vn /lib/libc.so.7 38232 0x41f933d3000 0x41f933d7000 rw- 4 0 1 0 C--- vn /lib/libc.so.7 38232 0x41f933d7000 0x41f933f1000 rw- 14 14 1 0 C--- df 38232 0x41f93400000 0x41f93800000 rw- 520 520 1 0 C--- df 38232 0x41f93800000 0x41f9384a000 r-x 58 67 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/zle.so 38232 0x41f9384a000 0x41f93a4a000 --- 0 0 1 0 CN-- df 38232 0x41f93a4a000 0x41f93a4c000 r-- 2 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/zle.so 38232 0x41f93a4c000 0x41f93a53000 rw- 7 0 1 0 C--- vn /usr/local/lib/zsh/5.2/zsh/zle.so 38232 0x41f93a53000 0x41f93a76000 r-x 34 36 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/complete.so 38232 0x41f93a76000 0x41f93c75000 --- 0 0 1 0 CN-- df 38232 0x41f93c75000 0x41f93c77000 r-- 2 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/complete.so 38232 0x41f93c77000 0x41f93c78000 rw- 1 0 1 0 C--- vn /usr/local/lib/zsh/5.2/zsh/complete.so 38232 0x41f93c78000 0x41f93c87000 r-x 12 14 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/complist.so 38232 0x41f93c87000 0x41f93e87000 --- 0 0 1 0 CN-- df 38232 0x41f93e87000 0x41f93e88000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/complist.so 38232 0x41f93e88000 0x41f93e89000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/complist.so 38232 0x41f93e89000 0x41f93e90000 r-x 7 8 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/zutil.so 38232 0x41f93e90000 0x41f9408f000 --- 0 0 1 0 CN-- df 38232 0x41f9408f000 0x41f94090000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/zutil.so 38232 0x41f94090000 0x41f94091000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/zutil.so 38232 0x41f94091000 0x41f94093000 r-x 2 3 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/langinfo.so 38232 0x41f94093000 0x41f94292000 --- 0 0 1 0 CN-- df 38232 0x41f94292000 0x41f94293000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/langinfo.so 38232 0x41f94293000 0x41f94294000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/langinfo.so 38232 0x41f94294000 0x41f94296000 r-x 2 3 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/terminfo.so 38232 0x41f94296000 0x41f94495000 --- 0 0 1 0 CN-- df 38232 0x41f94495000 0x41f94496000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/terminfo.so 38232 0x41f94496000 0x41f94497000 rw- 1 0 1 0 C--- vn /usr/local/lib/zsh/5.2/zsh/terminfo.so 38232 0x41f94497000 0x41f944a0000 r-x 8 10 24 16 CN-- vn /usr/local/lib/zsh/5.2/zsh/parameter.so 38232 0x41f944a0000 0x41f946a0000 --- 0 0 1 0 CN-- df 38232 0x41f946a0000 0x41f946a1000 r-- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/parameter.so 38232 0x41f946a1000 0x41f946a2000 rw- 1 0 1 0 CN-- vn /usr/local/lib/zsh/5.2/zsh/parameter.so 38232 0x41f94800000 0x41f94a00000 rw- 206 206 1 0 ---- df 38232 0x7c9c2edd2000 0x7c9c2edf2000 rw- 1 1 1 0 CN-D df 38232 0x7c9c2edf2000 0x7c9c2ee12000 rw- 32 32 1 0 C--- df 38232 0x7f93ed02f000 0x7f93ed030000 r-x 1 1 108 0 ---- ph