←back to thread

Memory Integrity Enforcement

(security.apple.com)
458 points circuit | 3 comments | 09 Sep 25 18:25 UTC | HN request time: 0.003s | source
Show context
vayup ◴[10 Sep 25 03:24 UTC] No.45192823[source]
> ...attackers must not be able to predict tag values that the system will choose. We address this issue by frequently re-seeding the underlying pseudo-random generator used to select new tags.

This point could use more explanation. The fundamental problem here is the low entropy of the tags (only 4 bits). An attacker who randomly guesses the tags has 1/16 chance of success. That is not fixed by reseeding the PRNG. So I am not sure what they mean.

replies(2): >>45193068 #>>45194288 #
1. freakynit ◴[10 Sep 25 03:58 UTC] No.45193068[source]
Four bits provide too few possibilities. Since memory allocations happen millions of times per minute, the chance of collisions grows very quickly, even with periodic reseeding.
replies(2): >>45194462 #>>45196009 #
2. saagarjha ◴[10 Sep 25 07:37 UTC] No.45194462[source]
The idea is that a tag failure crashes your process.
3. kevincox ◴[10 Sep 25 11:09 UTC] No.45196009[source]
But you only get one try. 15/16 times you get a very visible failure.

It isn't great. Most users won't assume malice when an app crashes. And if they reopen it a few times your chance of succeeding goes up quickly. But this is also assuming that you need a single pointer tag to exploit something. If you need more you need to get even luckier.

So it definitely isn't perfect protection. But it isn't trivial to bypass.