Go to DBLP homepageTiming and Speculative Execution Attacks: Defeating State-of-the-Art Code-Reuse Defenses
Abstract: Recently, numerous effective defensive strategies like ASLR and execute-no-read have been put forward to counter code-reuse attacks in software systems. These methods safeguard systems robustly by addressing randomization or memory access constraints. However, this paper uncovers a novel vulnerability in these approaches: the lack of time protection. We present a new assault method named the timing function attack. This attack can successful initiate a code-reuse attack although the presence of state-of-the-art defensives. By exploiting the time channel, we can obtain crucial security information despite previous attempts to hide spatial details. Specifically, we use function execution time for side-channel attacks, de-randomize code segment layouts and then execute a code-reuse attack. To verify its practicality, we conduct attacks on ChakraCore and Chrome v8 JavaScript engines. Results show it can bypass defenses like function-granularity ASLR and XnR, escalating privileges. We also introduce SAROP, which uses speculative execution vulnerabilities to bypass address randomization. We compare these two attacks and discuss defense mechanisms, emphasizing the need for multi-layered security.
Loading