ASLR bypass attack: Prevention Alone, not enough

Posted by Michael Davis   |   February 17, 2017


Defenders got a bit of a bad Valentine’s Day dinner surprise this week when VUSec announced a new bypass attack for address space layout randomization (ASLR).  The major media outlets such as Wired and ArsTechnica immediately put out articles talking about the problem and revealing all the juicy details.

What makes this vulnerability particularly bad is that there is no software fix. This is a hardware issue which means a new patch from Microsoft or even the Linux vendors most likely will not help.

Naturally, this leaves defenders in a bad spot. We don’t yet know the length of time it will take for a solution to be developed, but what we can anticipate with rather high confidence is that this is a huge issue and is going to cause a lot of new attackers to reinvigorate their old, but very successful watering hole and drive-by download attacks that techniques like ASLR helped endpoint security for companies worldwide.

So what are we to do? What the media isn’t covering is that while this could be a massive problem, there are solutions that exist today to help enterprises detect, dynamically prevent, and respond to threats that bypass ASLR in the browser.

Techniques like ASLR are great (we love prevention and recommend you use it!), but prevention by definition is not 100 percent perfect and doesn’t always work. When prevention fails, enterprises can’t be left in the dark. We believe that enterprises shouldn’t be responding to every exploit vector or new threat that comes out. The constant zigzag of responding to the changing threat landscape gives the attackers an advantage.

Instead, we advise enterprises to realize that regardless of the threat vector or exploit, attacker behavior immediately after the exploit is a much smaller amount of surface area to protect.  

For example, with our Endpoint Threat Platform, we monitor what the browser is doing on the system and analyze all of its code in memory and in real-time to determine that after the exploit is attempted, the browser tries to perform a simple dropper attack (common with waterhole and drive by download attacks). We detect the dropper, analyze the file trying to be launched, and identify if it contains malicious capabilities so we kill it and prevent it from running again.

This dynamic prevention withstands new exploit and threat vectors. Matter of fact, we didn’t have to change a single piece of the product to detect this new ASLR bypass attack so all of our existing customers were protected from the moment the research was announced.


Topics: Blog

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all