{"id":46360,"date":"2025-01-08T14:22:48","date_gmt":"2025-01-08T19:22:48","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46360"},"modified":"2025-01-08T14:23:15","modified_gmt":"2025-01-08T19:23:15","slug":"sysbumps-attack","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/01\/08\/sysbumps-attack\/","title":{"rendered":"SysBumps Attack"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/sysbumps\/\">Guru Baran<\/a> (via <a href=\"https:\/\/www.macintouch.com\/post\/44327\/sysbumps-vulnerability\/#more-44327\">Ric Ford<\/a>, <a href=\"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690189\">PDF<\/a>):<\/p>\n<blockquote cite=\"https:\/\/cybersecuritynews.com\/sysbumps\/\">\n<p>The research team from Korea University, led by Hyerean Jang, Taehun Kim, and Youngjoo Shin, presented their findings in a paper titled &ldquo;SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple Silicon.&rdquo;<\/p>\n<p>Their work represents the first successful KASLR break attack on macOS systems powered by Apple&rsquo;s custom ARM-based chips.<\/p>\n<p>[&#8230;]<\/p>\n<p>By exploiting Spectre-type vulnerabilities in certain macOS system calls, the researchers demonstrated that an unprivileged attacker could cause transient memory accesses to kernel addresses, even with kernel isolation enabled.<\/p>\n<p>A key component of the attack involves using the Translation Lookaside Buffer (TLB) as a side channel to infer information about the kernel&rsquo;s memory layout. The research team reverse-engineered the TLB structure of various M-series processors, uncovering previously unknown details about its architecture.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/11\/07\/ileakage-browser-based-timerless-speculative-execution-attacks-on-apple-devices\/\">iLeakage: Browser-Based Timerless Speculative Execution Attacks on Apple Devices<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/07\/05\/pacman-attack-on-m1-processor\/\">PACMAN Attack on M1 Processor<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/06\/03\/apple-silicon-augury-dmp-vulnerability\/\">Apple Silicon &ldquo;Augury&rdquo; DMP Vulnerability<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/06\/04\/m1racles\/\">M1racles: M1ssing Register Access Controls Leak EL0 State<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/05\/17\/microarchitectural-data-sampling-mds-mitigation\/\">Microarchitectural Data Sampling (MDS) Mitigation<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/07\/16\/mitigating-spectre-with-site-isolation-in-chrome\/\">Mitigating Spectre With Site Isolation in Chrome<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/06\/14\/intel-fpu-may-spill-crypto-secrets-to-apps\/\">Intel FPU May Spill Crypto Secrets to Apps<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/01\/03\/intel-cpu-design-flaw-necessitates-kernel-page-table-isolation\/\">Intel CPU Design Flaw Necessitates Kernel Page Table Isolation<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Guru Baran (via Ric Ford, PDF): The research team from Korea University, led by Hyerean Jang, Taehun Kim, and Youngjoo Shin, presented their findings in a paper titled &ldquo;SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple Silicon.&rdquo; Their work represents the first successful KASLR break attack on macOS systems [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-01-08T19:22:50Z","apple_news_api_id":"b9e113da-c89d-4990-bed9-b19b195553bb","apple_news_api_modified_at":"2025-01-08T19:22:51Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AueET2sidSZC-2bGbGVVTuw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2014,2133,2221,2329,2328,2095,845,30,2223,2385,260,48],"class_list":["post-46360","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-m1","tag-apple-m1-pro","tag-apple-m2","tag-apple-m2-max","tag-apple-m2-pro","tag-exploit","tag-kernel","tag-mac","tag-macos-13-ventura","tag-macos-14-sonoma","tag-processors","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=46360"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46360\/revisions"}],"predecessor-version":[{"id":46361,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46360\/revisions\/46361"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=46360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=46360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=46360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}