←back to thread

Memory Integrity Enforcement

(security.apple.com)
458 points circuit | 1 comments | 09 Sep 25 18:25 UTC | HN request time: 0.205s | source
Show context
pizlonator ◴[09 Sep 25 20:11 UTC] No.45188131[source]
This is really impressive.

It’s my understanding that this won’t protect you in the case where the attacker has a chance to try multiple times.

The approach would be something like: go out of bounds far enough to skip the directly adjacent object, or do a use after free with a lot of grooming, so that you get a a chance of getting a matching tag. The probability of getting a matching tag is 1/16.

But this post doesn’t provide enough details for me to be super confident about what I’m saying. Time will tell! If this is successful then the remaining exploit chains will have to rely on logic bugs, which would be super painful for the bad guys

replies(3): >>45188201 #>>45189018 #>>45198401 #
achierius ◴[09 Sep 25 20:59 UTC] No.45189018[source]
The other 15/16 attempts would crash though, and a bug that unstable is not practically usable in production, both because it would be obvious to the user / send diagnostics upstream and because when you stack a few of those 15/16s together it's actually going to take quite a while to get lucky.
replies(2): >>45189211 #>>45190505 #
strcat ◴[09 Sep 25 22:50 UTC] No.45190505[source]
Typically 14/15 since a tag is normally reserved for metadata, free data, etc. Linux kernel reserves multiple for the internal kernel usage since it was introduced upstream as more of a hardware accelerated debugging feature even though it's very useful for hardening.
replies(2): >>45192247 #>>45192661 #
1. achierius ◴[10 Sep 25 03:00 UTC] No.45192661[source]
It's more complicated than that, so I just use 15/16 to gesture at the general idea. E.g. some strategies for ensuring adjacent tags don't collide can include splitting the tags-range in half and tagging from one or the other based on the parity of an object within its slab allocation region. But even 1/7 is still solid.