Explore techniques for bypassing Address Space Layout Randomization (ASLR) by exploiting performance optimization vulnerabilities in a 45-minute Black Hat conference talk. Delve into how hash table designs in programming languages like JavaScript, Python, and Ruby can leak address information, compromising ASLR security. Examine the Zygote process creation model in Android and its impact on ASLR effectiveness. Learn about real-world attacks demonstrated on Safari web browser, Google Chrome, and VLC Media Player. Gain insights into the history of ASLR, system attack trends, and potential countermeasures against these vulnerabilities.
Abusing Performance Optimization Weaknesses to Bypass ASLR
Overview
Syllabus
Intro
(Rough) System Attack Trends
A Brief History of ASLR
Bypassing ASLR
Hash Table and ASLR?
Address Information in Script Languages
Attacking ASLR with Hash Tables
Examples - Directly Reading a key
How to Infer a key in WebKit Javascript
Abusing Collision Resolution
DEMO
Countermeasures
History of ASLR adoption in Android
Performance Prioritized Designs of Android
Zygote: the process creation module
Zygote weakens ASLR effectiveness
Attacking the ASLR weakness
Remote Coordinated Attack
Local Trojan Attack
References
Taught by
Black Hat
