Researchers at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed an innovative new method to protect computers against hardware attacks.
Within a computer’s physical memory, program instructions are stored at specific addresses. Despite efforts to obscure these addresses with techniques like Address Space Layout Randomisation (ASLR), crafty hackers have found ways to exploit hardware flaws to hunt them down.
Dubbed ‘Oreo’ after the famous three-layered cookie, the researchers’ solution promises to bolster ASLR’s effectiveness and protect against the growing threat of microarchitectural side attacks by making such traces vanish.
Hackers can bypass ASLR for hardware attacks
ASLR is a standard security measure found in modern operating systems, including Linux and Windows. Its role is to scramble program instructions, making it harder for attackers to predict their exact location. However, hackers have developed cunning techniques to bypass ASLR.
Instead of exploiting software vulnerabilities directly, they rely on microarchitectural side attacks. These attacks target hardware to monitor which memory areas are accessed most frequently, using that information to piece together locations of sensitive data or snippets of executable code—known as “code gadgets.”
Once those “gadgets” are identified, hackers can launch what are called code-reuse attacks, enabling the theft of passwords or the execution of unauthorised administrative changes. The effectiveness of ASLR, a once-reliable shield, has faltered in the face of these sophisticated incursions.
“ASLR was deployed in operating systems like Windows and Linux, but within the last decade, its security flaws have rendered it almost broken,” explains Mengjia Yan, an associate professor at MIT and CSAIL principal investigator.
“Our goal is to revive this mechanism in modern systems to defend microarchitecture attacks.”
Anything can be improved with an Oreo
To improve ASLR, the CSAIL team designed the Oreo system. As its name implies, this method introduces a three-layered process to conceal vital information from hackers.
At the heart of Oreo is a “masked address space” that adds an intermediate layer sitting between the virtual address space (used to reference program instructions) and the physical address space (where the instructions are actually stored). This middle layer essentially “whites out” any traces of the programs’ randomised locations before instructions are executed by the hardware.
Shixin Song, lead author of the Oreo paper and a CSAIL-affiliated PhD student in electrical engineering and computer science, likens the process to the cookie itself.
“We got the idea to structure it in three layers from Oreo cookies,” she says. “Think of the white filling in the middle of that treat—our version of that is a layer that essentially whites out traces of gadget locations before they end up in the wrong hands.”
This strategy adds an extra step that remaps program instructions from randomised virtual addresses to fixed locations, obfuscating the original memory layout. Even if a hacker uses hardware-side techniques to uncover physical addresses, Oreo ensures the scrambled virtual addresses remain invisible.
The CSAIL team tested Oreo by simulating hardware attacks on Linux using gem5, a platform often employed to study computer architecture. Their findings demonstrated that Oreo successfully shields against microarchitectural side attacks without impacting the performance of the software it protects.
“Our method introduces marginal hardware changes by only requiring a few extra storage units to store some metadata,” Song notes. “Luckily, it also has a minimal impact on software performance.”
This small footprint makes Oreo a lightweight but robust upgrade for page-table-based memory systems, often found in platforms powered by processors from Intel, AMD, and Arm.
The CSAIL team believes Oreo has significant potential beyond Linux.
“We think Oreo could be a useful software-hardware co-design platform for a broader type of applications,” says Yan. “In addition to targeting ASLR, we’re working on new methods that can help safeguard the critical crypto libraries widely used to secure information across people’s network communication and cloud storage.”
Towards multi-layered security against hardware attacks
While Oreo offers a significant boost to ASLR, it is not a silver bullet. The team acknowledges it must work alongside other defences, particularly against speculative execution attacks.
Speculative execution attacks were made infamous by the Meltdown and Spectre vulnerabilities uncovered in 2018. Such attacks exploit a processor feature designed to predict its next tasks for efficiency, but in doing so, inadvertently leave sensitive data exposed.
To defend against speculative execution attacks, Oreo needs to be coupled with other security mechanisms (such as Spectre mitigations).
This limitation also extends to larger, more complex systems. Still, for targeted applications such as safeguarding sensitive cryptography tools, the potential of Oreo could be transformative.
The CSAIL team will present their findings later this month at the Network and Distributed System Security Symposium. Their work has been supported by funding from Amazon, the US Air Force Office of Scientific Research, and ACE, a centre within the Semiconductor Research Corporation sponsored by DARPA.
Looking ahead, the team hopes their Oreo framework inspires further development of software-hardware co-design mechanisms to combat emerging cyber threats. For now, this three-layered innovation serves as a sweet addition to the cybersecurity toolkit.
