upvote

points

by vsgherzi17 hours ago |
comments
upvoteby dorianmariecom17 hours ago|
next
[-]
Memory Tagging Extension

Arm published the Memory Tagging Extension (MTE) specification in 2019 as a tool for hardware to help find memory corruption bugs. MTE is a memory tagging and tag-checking system, where every memory allocation is tagged with a secret. The hardware guarantees that later requests to access memory are granted only if the request contains the correct secret. If the secrets don’t match, the app crashes, and the event is logged. This allows developers to identify memory corruption bugs immediately as they occur.

https://support.apple.com/guide/security/operating-system-in...

reply
upvoteby sillysaurusx13 hours ago|
parent|
[-]
Thank you. I was about to ask.
reply
upvoteby vsgherzi17 hours ago|
prev|
next
[-]
Upon further reading on data only attacks

(https://www.usenix.org/publications/loginonline/data-only-at...)

This makes more sense. You don't trigger MTE since you're not doing anything for force MTE to take action the program isn't actually changing.

My other question would be, why didn't apple use fbounds checking here? They've been doing it aggressively everywhere else.

MTE plus fbounds checking everywhere should lead to an extremly hardened OS

reply
upvoteby pjmlp16 hours ago|
parent|
next
[-]
Quite strange indeed, given that was one of the main points on their security conference a few months ago.
reply
upvoteby vsgherzi15 hours ago|
parent|
[-]
I can only imagine that

1. it’s to performance sensitive

Or

2. The os is so darn large it’s hard to recompile everything

reply
upvoteby kenferry9 hours ago|
parent|
[-]
I worked at Apple for a long time. The OS gets fully recompiled regularly.

A simultaneous total world build is relatively rare (is that needed here?), but it does happen. Sometimes new compiler versions or features need this.

reply
upvoteby vsgherzi7 hours ago|
parent|
next
[-]
Hm that leaves more questions for me. Why does this path not have bounds checking, is think perhaps a limit of the clang flag or is it more simply a mistake of omission on apples part. Either way it seems like a bad look. I wish we’d get a post mortem
reply
upvoteby asimovDev6 hours ago|
parent|
prev|
[-]
I dunno if that's sensitive information, but how long did a build usually take?
reply
upvoteby aiscoming13 hours ago|
parent|
prev|
[-]
could be a different type of data only attack, which doesnt override the boundaries
reply
upvoteby vsgherzi12 hours ago|
parent|
[-]
Well it’s memory corruption so I think it’s pretty safe to assume it’s a bounds issue. I’m not sure if it’s possible to get this with something like type confusion tho I could be wrong here.
reply
upvoteby landr0id17 hours ago|
prev|
next
[-]
GPU memory/shaders/etc. isn't protected by MTE or PAC. They said "data-only", so I guess GPU commands could fit into this description.
reply
upvoteby LoganDark15 hours ago|
parent|
[-]
IIRC, the GPU is behind a memory controller, so I doubt corrupting GPU memory alone could lead to an LPE. But I suppose it would give you someplace to store stuff if you can make something else read from it.
reply
upvoteby traceroute6614 hours ago|
prev|
next
[-]
> I'm very curious how the bug survived through MTE

Its not the first time bugs get past MTE, happened with Google Pixel last year ... https://github.blog/security/vulnerability-research/bypassin...

reply
upvoteby Riany6 hours ago|
prev|
[-]
I had the same question and if this is a data-only attack, the lesson may be that MIE reduces many attack paths but does not remove every useful corruption primitive
reply