One Byte to rule them all

(googleprojectzero.blogspot.com)

205 points | by cjbprime 3 days ago

9 comments

  • twoodfin 1 day ago

    Seems like the high-level lesson is that tagged unions as traditionally implemented can be vulnerable in a manner that pointer/address-focused mitigations don’t affect?

    • tlb 1 day ago

      Indeed, a small integer tag seems much more vulnerable than a C++ virtual table pointer.

      On modern hardware, how much is the penalty for using magic numbers instead of small indices? (A magic number meaning a constant like 0x85adb9ad instead of 2). The compiler can't optimize switch(it->type) using a jump table, but I suspect that branch prediction and speculation makes this optimization barely relevant.

      • kevincox 1 day ago

        A jump table isn't likely used for very small unions anyways. The biggest downside that I see is that comparing with zero is slightly cheaper if that is a common value.

      • saagarjha 1 day ago

        At the very end, there is speculation that things like this might get manual inclusion in these mitigations grounded in parts of Ivan Krstić's Black Hat talk from last year.

      • cjbprime 1 day ago

        Huh, I submitted this two days ago -- why does it say two hours ago?

      • kokowawa393 1 day ago

        What do I need to learn to understand this 100%?

        • saagarjha 1 day ago

          In somewhat increasing order of specificity (and decreasing additional understanding): computers, C, memory safety, newer cross-platform security mitigations, XNU, iOS-specific security mitigations, iOS exploitation techniques, Project Zero's previous work.

        • nine_k 1 day ago

          The amount of work put into the exploit, the breadth of low-level knowledge involved, and the number of moving parts required for the successful privilege escalation is impressive, to say the least.

          I suspect that getting thought this all took months, considering that iOS runs on platforms not exactly open for experimentation of such a kind.

          • cjsawyer 1 day ago

            The LotR section headings were a nice touch

            • hootbootscoot 1 day ago

              great stuff

              • trekrich 1 day ago

                So what does it mean?!

                • iOS has a lot of layers and mitigations both in software and proprietary hardware that aren't found in other systems. Keep in mind that this story would be 20 % the length on other systems, because "physical memory read/write primitive" would be a total break.

                  • saagarjha 1 day ago

                    I should note that PPL is not designed to protect against the kinds of attack described in this article; it's really meant to prevent substitution of forged page tables and by coincidence the address chosen by the author ended up being unmappable due to an attempt to protect against virtual memory read/write in the kernel.

                    • trekrich 1 day ago

                      thanks for that.

                  • fortran77 1 day ago

                    iOS is full of holes. How can Apple in good faith say it is "secure by design?" (See https://www.apple.com/business/docs/site/AAW_Platform_Securi... )

                    • saagarjha 1 day ago

                      My linked list of these comments will continue to grow until you stop doing this: https://news.ycombinator.com/item?id=23504129

                      • glitchc 1 day ago

                        Let’s give a experienced group of hackers nearly unlimited budget to find security holes in your competitor’s products.

                        There’s of course, zero bias in that approach, none whatsoever. /s

                        If project zero spent even half as much time finding and fixing security exploits in Android as they do just finding exploits in IOS, Google would have a truly competitive product from a security perspective.

                    • > Project Zero

                      > News and updates from the Project Zero team at Google

                      >For the last several years, nearly all iOS kernel exploits ...

                      Damn, Googlers... Still incapable of explaining things to people. What the hell is Project Zero? Why don't you explain it in your tagline? If not, why not at the beginning of the article?

                      Edit: this sentence in the "about" section does the job:

                      > Project Zero is a team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world

                      I suggest you change the tagline to something like "Studying zero-day vulnerabilities at Google".