SysBumps Attack
Guru Baran (via Ric Ford, PDF):
The research team from Korea University, led by Hyerean Jang, Taehun Kim, and Youngjoo Shin, presented their findings in a paper titled “SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple Silicon.”
Their work represents the first successful KASLR break attack on macOS systems powered by Apple’s custom ARM-based chips.
[…]
By exploiting Spectre-type vulnerabilities in certain macOS system calls, the researchers demonstrated that an unprivileged attacker could cause transient memory accesses to kernel addresses, even with kernel isolation enabled.
A key component of the attack involves using the Translation Lookaside Buffer (TLB) as a side channel to infer information about the kernel’s memory layout. The research team reverse-engineered the TLB structure of various M-series processors, uncovering previously unknown details about its architecture.
Previously:
- iLeakage: Browser-Based Timerless Speculative Execution Attacks on Apple Devices
- PACMAN Attack on M1 Processor
- Apple Silicon “Augury” DMP Vulnerability
- M1racles: M1ssing Register Access Controls Leak EL0 State
- Microarchitectural Data Sampling (MDS) Mitigation
- Mitigating Spectre With Site Isolation in Chrome
- Intel FPU May Spill Crypto Secrets to Apps
- Intel CPU Design Flaw Necessitates Kernel Page Table Isolation
