←back to thread

Memory Integrity Enforcement

(security.apple.com)
461 points circuit | 2 comments | 09 Sep 25 18:25 UTC | HN request time: 0s | source
Show context
pizlonator ◴[09 Sep 25 20:11 UTC] No.45188131[source]
This is really impressive.

It’s my understanding that this won’t protect you in the case where the attacker has a chance to try multiple times.

The approach would be something like: go out of bounds far enough to skip the directly adjacent object, or do a use after free with a lot of grooming, so that you get a a chance of getting a matching tag. The probability of getting a matching tag is 1/16.

But this post doesn’t provide enough details for me to be super confident about what I’m saying. Time will tell! If this is successful then the remaining exploit chains will have to rely on logic bugs, which would be super painful for the bad guys

replies(3): >>45188201 #>>45189018 #>>45198401 #
achierius ◴[09 Sep 25 20:59 UTC] No.45189018[source]
The other 15/16 attempts would crash though, and a bug that unstable is not practically usable in production, both because it would be obvious to the user / send diagnostics upstream and because when you stack a few of those 15/16s together it's actually going to take quite a while to get lucky.
replies(2): >>45189211 #>>45190505 #
pizlonator ◴[09 Sep 25 21:11 UTC] No.45189211[source]
I get that. That’s why I’m adding the caveat that this doesn’t protect you against attackers that are in a position to try multiple times
replies(1): >>45193339 #
1. zarzavat ◴[10 Sep 25 04:35 UTC] No.45193339{3}[source]
Detection is 14/15ths of the battle. Forcing attackers to produce a brand new exploit chain every few weeks massively increases attack cost which could make it uneconomical except for national security targets.
replies(1): >>45198165 #
2. pizlonator ◴[10 Sep 25 14:23 UTC] No.45198165[source]
It will be really interesting to see how well that part of the story works out!

What we're essentially saying is that evading detection is now 14/15 of the battle, from the attacker's perspective. Those people are very clever