New issue
Advanced search Search tips

Issue 693042 link

Starred by 1 user
Status: Duplicate
Merged: issue 665930
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: All
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: AnC strips ASLR protections

Project Member Reported by joh...@chromium.org, Feb 16 2017 
VULNERABILITY DETAILS
ASLR⊕Cache (or AnC for short) claims to bypass ASLR protections by measuring MMU cache timings from JavaScript running in Chrome. See https://www.vusec.net/projects/anc/ and https://www.vusec.net/download/?t=papers/anc_ndss17.pdf for more details.

This bug is almost certainly a duplicate, since the authors mention that they disclosed the vulnerability to browser vendors in October 2016 (ahead of the public disclosure which just happened in February 2017), but filing it just in case as I haven't heard any mention of AnC on mailing lists.

VERSION
Chrome Version: presumably stable
Operating System: all

REPRODUCTION CASE
See videos on https://www.vusec.net/projects/anc/ (they omit the actual JS code from the public disclosure, though they probably already sent it to Chrome in October).
The native code variant is available on https://github.com/vusec/revanc.

Comment 1 by joh...@chromium.org, Feb 16 2017 

- CVE-2017-5928 for web browser timing attacks
- CVE-2017-5927 for ARM processors
- CVE-2017-5925 for Intel processors
- CVE-2017-5926 for AMD processors

I also filed b/35418108 for the Android side of this.

Comment 2 by elawrence@chromium.org, Feb 16 2017 

Presumably  Issue 665930 ?

Comment 3 by joh...@chromium.org, Feb 16 2017

Labels: -Restrict-View-SecurityTeam
Mergedinto: 665930
Status: Duplicate (was: Untriaged)
Project Member

Comment 4 by sheriffbot@chromium.org, Feb 15 2018

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment