Address space layout randomization (ASLR) has often been sold as an important first line of defense against memory corruption attacks and a building block for many modern countermeasures. Existing attacks against ASLR rely on software vulnerabilities and/or on repeated (and detectable) memory probing.
In this talk, we show that neither is a hard requirement and that ASLR is fundamentally insecure on modern cache- based architectures, making ASLR and caching conflicting requirements (ASLR xor Cache, or simply AnC). To support this claim, we describe a new EVICT+TIME cache attack on the virtual address translation performed by the memory management unit (MMU) of modern processors. Our AnC attack relies on the property that the MMU's page-table walks result in caching page-table pages in the shared last-level cache (LLC).