Memory Integrity Enforcement

(security.apple.com)

458 points circuit | 1 comments | 09 Sep 25 18:25 UTC | HN request time: 0.2s | source

Show context

philodeon ◴[09 Sep 25 21:38 UTC] No.45189601[source]▶

> In 2018, we were the first in the industry to deploy Pointer Authentication Codes (PAC) in the A12 Bionic chip, to protect code flow integrity in the presence of memory corruption. The strong success of this defensive mechanism in increasing exploitation complexity left no doubt that the deep integration of software and hardware security would be key to addressing some of our greatest security challenges.

There have been multiple full-chain attacks since the introduction of PAC. It hasn’t been a meaningful attack deterrent because attackers keep finding PAC bypasses. This should give you pause as to how secure EMTE actually is.

replies(3): >>45190277 #>>45190363 #>>45191246 #

saagarjha ◴[09 Sep 25 22:39 UTC] No.45190363[source]▶

>>45189601 #

> It hasn’t been a meaningful attack deterrent because attackers keep finding PAC bypasses.

Correction: it forces attackers to find PAC bypasses. They are not infinite.

replies(1): >>45190735 #

strcat ◴[09 Sep 25 23:09 UTC] No.45190735[source]▶

>>45190363 #

Hijacking control flow like this is not a hard requirement of exploitation. Vulnerabilities in a specific software release are not infinite in general so that doesn't mean much.

replies(1): >>45193257 #

1. saagarjha ◴[10 Sep 25 04:24 UTC] No.45193257[source]▶

>>45190735 #

Memory safety issues, or ROP gadgets, and the like are basically infinite

↑