Apple has further reinforced KASLR on macOS for Apple Silicon by implementing “double map” kernel isolation, which separates user-space and kernel-space address layouts. The findings, presented at the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS ’24), expose significant weaknesses in Apple’s advanced kernel isolation techniques. Security researchers from Korea University have unveiled a new vulnerability in macOS systems running on Apple Silicon processors. As Apple continues its transition to ARM-based silicon, addressing vulnerabilities like this will be critical to maintaining user trust and system security. This transient execution accesses kernel addresses, leaving detectable traces in the TLB if the address is valid. Breaking KASLR: By systematically probing memory regions, SysBumps identifies valid kernel address ranges and calculates the kernel’s base address with high accuracy. This knowledge enabled them to construct an attack primitive capable of distinguishing valid from invalid kernel addresses. TLB Side-Channel Analysis: Using a reverse-engineered understanding of Apple Silicon’s TLB architecture, attackers employ a “prime+probe” technique to monitor TLB state changes. By measuring access latency, they can distinguish between valid and invalid kernel addresses. While no immediate fix exists yet, Apple’s response will likely shape future defenses against speculative execution attacks on custom silicon platforms. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. SysBumps exploits speculative execution vulnerabilities in macOS system calls. TLB Behavior Modification: Allocating TLB entries for invalid addresses would make it harder for attackers to distinguish valid from invalid addresses. However, the SysBumps attack demonstrates that even these advanced defenses can be bypassed, with researchers achieving a 96.28% success rate across various M-series processors, including the M1, M2, and their Pro and Max variants. The implications are severe: once KASLR is broken, attackers can more easily exploit other vulnerabilities to gain unauthorized access or execute arbitrary code. While beneficial for speed, it has been shown to leave traces in microarchitectural components like the Translation Lookaside Buffer (TLB), which attackers can exploit as side channels. Triggering Speculative Execution: Certain macOS system calls perform validation checks on user-supplied arguments. Partitioning TLBs: Separating TLB entries for user and kernel processes could eliminate shared contention, reducing side-channel leakage. Speculative Execution Fencing: Inserting serializing instructions like DSB and ISB before conditional branches can prevent speculative execution of sensitive code paths. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Feb 2025 08:55:20 +0000