<
p style=”text-align: justify;”>In a significant revelation, researchers from Korea University have uncovered “SysBumps,” the first successful Kernel Address Space Layout Randomization (KASLR) break attack targeting macOS devices powered by Apple Silicon processors. Presented at CCS ’24, the study exposes flaws in speculative execution that compromise critical kernel memory addresses, presenting severe security implications for macOS users.
Kernel Address Space Layout Randomization (KASLR) is a vital security mechanism designed to randomize memory locations, thereby mitigating memory corruption vulnerabilities. Apple has enhanced KASLR on macOS for Apple Silicon devices with features like kernel isolation, which separates kernel and user memory spaces to bolster system security.
However, the study identifies a critical weakness in this implementation. Researchers discovered that speculative execution during system calls introduces a vulnerability. This flaw enables attackers to bypass kernel isolation and infer kernel memory locations, undermining the effectiveness of KASLR.
Mechanics of the SysBumps Attack
SysBumps exploits speculative execution vulnerabilities by manipulating system calls to avoid kernel address validation checks. This triggers the Translation Lookaside Buffer (TLB) to behave differently depending on the validity of the address being probed. By leveraging TLB as a side-channel, attackers can gather insight
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.