←back to thread

Memory Integrity Enforcement

(security.apple.com)
461 points circuit | 8 comments | 09 Sep 25 18:25 UTC | HN request time: 0.63s | source | bottom
1. philodeon ◴[09 Sep 25 21:38 UTC] No.45189601[source]
> In 2018, we were the first in the industry to deploy Pointer Authentication Codes (PAC) in the A12 Bionic chip, to protect code flow integrity in the presence of memory corruption. The strong success of this defensive mechanism in increasing exploitation complexity left no doubt that the deep integration of software and hardware security would be key to addressing some of our greatest security challenges.

There have been multiple full-chain attacks since the introduction of PAC. It hasn’t been a meaningful attack deterrent because attackers keep finding PAC bypasses. This should give you pause as to how secure EMTE actually is.

replies(3): >>45190277 #>>45190363 #>>45191246 #
2. sfink ◴[09 Sep 25 22:32 UTC] No.45190277[source]
To be fair, they didn't claim it to be a meaningful attack deterrent. They said "success...in increasing exploitation complexity".

Sure, the whole sentence is a bit of a weird mess. Paraphrased: it made exploits more complex, so we concluded that we needed a combined SW/HW approach. What I read into that is that they're admitting PAC didn't work, so they needed to come up with a new approach and part of that approach was to accept that they couldn't do it using either SW or HW alone.

Then again... I don't know much about PAC, but to me it seems like it's a HW feature that requires SW changes to make use of it, so it's kind of HW+SW already. But that's a pointless quibble; EMTE employs a lot more coordination and covers a lot more surface, iiuc.

replies(1): >>45190959 #
3. saagarjha ◴[09 Sep 25 22:39 UTC] No.45190363[source]
> It hasn’t been a meaningful attack deterrent because attackers keep finding PAC bypasses.

Correction: it forces attackers to find PAC bypasses. They are not infinite.

replies(1): >>45190735 #
4. strcat ◴[09 Sep 25 23:09 UTC] No.45190735[source]
Hijacking control flow like this is not a hard requirement of exploitation. Vulnerabilities in a specific software release are not infinite in general so that doesn't mean much.
replies(1): >>45193257 #
5. ghostpepper ◴[09 Sep 25 23:29 UTC] No.45190959[source]
Making attackers work harder is still a worthwhile goal. No security is perfect.
replies(1): >>45191986 #
6. frosting1337 ◴[09 Sep 25 23:59 UTC] No.45191246[source]
Haha, just because there's been bypasses doesn't mean it hasn't been effective.
7. astrange ◴[10 Sep 25 01:33 UTC] No.45191986{3}[source]
Also, all of these security improvements are nearly-free assert()s which catch memory bugs.
8. saagarjha ◴[10 Sep 25 04:24 UTC] No.45193257{3}[source]
Memory safety issues, or ROP gadgets, and the like are basically infinite