Open AccessTiming and Speculative Execution Attacks: Defeating State-of-the-Art Code-Reuse Defenses
Author(s) -
Zhang Tianning,
Cai Miao,
Zhang Diming,
Huang Hao
Publication year - 2025
Publication title -
ieee access
Language(s) - English
Resource type - Magazines
SCImago Journal Rank - 0.587
H-Index - 127
eISSN - 2169-3536
DOI - 10.1109/access.2025.3573038
Subject(s) - aerospace , bioengineering , communication, networking and broadcast technologies , components, circuits, devices and systems , computing and processing , engineered materials, dielectrics and plasmas , engineering profession , fields, waves and electromagnetics , general topics for engineers , geoscience , nuclear engineering , photonics and electrooptics , power, energy and industry applications , robotics and control systems , signal processing and analysis , transportation
Recently, numerous effective defensive strategies like ASLR and execute-no-read have been put forward to counter code-reuse attacks in software systems. These methods safeguard systems robustly by addressing randomization or memory access constraints. However, this paper uncovers a novel vulnerability in these approaches: the lack of time protection. We present a new assault method named the timing function attack. This attack can initiate a code-reuse attack even against cutting-edge defense techniques. By exploiting the time channel, we can obtain crucial security information despite previous attempts to hide spatial details. Specifically, we use function execution time for side-channel attacks, de-randomize code segment layouts and then execute a code-reuse attack. To verify its practicality, we conduct attacks on ChakraCore and Chrome v8 JavaScript engines. Results show it can bypass defenses like function-granularity ASLR and XnR, escalating privileges. We also introduce SAROP, which uses speculative execution vulnerabilities to bypass address randomization. We compare these two attacks and discuss defense mechanisms, emphasizing the need for multi-layered security.