Security researchers from Korea University have unveiled a new vulnerability in macOS systems<\/a> running on Apple Silicon processors.\u00a0<\/p>\n Dubbed \u201cSysBumps,\u201d this attack successfully circumvents Kernel Address Space Layout Randomization (KASLR), a critical security mechanism designed to protect kernel memory from exploitation.\u00a0<\/p>\n The findings, presented at the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201924), expose significant weaknesses in Apple\u2019s advanced kernel isolation techniques.<\/p>\n KASLR is a kernel hardening technique that randomizes memory addresses during system boot to prevent attackers from predicting the location of key kernel structures.\u00a0<\/p>\n This randomness is essential for mitigating memory corruption vulnerabilities, as it forces attackers to guess the kernel\u2019s base address\u2014a task made exponentially harder by high entropy levels.\u00a0<\/p>\n Apple has further reinforced KASLR on macOS for Apple Silicon by implementing \u201cdouble map\u201d kernel isolation, which separates user-space and kernel-space address layouts.<\/p>\n However, the SysBumps attack<\/a> demonstrates that even these advanced defenses can be bypassed, with researchers achieving a 96.28% success rate across various M-series processors, including the M1, M2, and their Pro and Max variants.<\/p>\n SysBumps exploits speculative execution vulnerabilities in macOS system calls. Speculative execution is a performance optimization technique in modern processors that predicts and executes instructions ahead of time.\u00a0<\/p>\n While beneficial for speed, it has been shown to leave traces in microarchitectural components like the Translation Lookaside Buffer (TLB), which attackers can exploit as side channels.<\/p>\n The attack unfolds in three key steps:<\/p>\n Triggering Speculative Execution: <\/strong>Certain macOS system calls perform validation checks on user-supplied arguments. By deliberately mistraining branch predictors, SysBumps induces speculative execution of invalid inputs.\u00a0<\/p>\n This transient execution accesses kernel addresses, leaving detectable traces in the TLB if the address is valid.<\/p>\n TLB Side-Channel Analysis:<\/strong> Using a reverse-engineered understanding of Apple Silicon\u2019s TLB architecture, attackers employ a \u201cprime+probe\u201d technique to monitor TLB state changes. By measuring access latency, they can distinguish between valid and invalid kernel addresses.<\/p>\n Breaking KASLR: <\/strong>By systematically probing memory regions, SysBumps identifies valid kernel address<\/a> ranges and calculates the kernel\u2019s base address with high accuracy.<\/p>\n Apple\u2019s double map kernel isolation was designed to prevent such attacks by ensuring that kernel addresses are inaccessible from user space.\u00a0<\/p>\n However, SysBumps bypasses this barrier by exploiting speculative execution during system calls.\u00a0<\/p>\n Researchers reverse-engineered the TLB architecture of Apple\u2019s M-series processors using Performance Monitoring Units (PMUs), uncovering critical details such as its shared design between user and kernel processes.\u00a0<\/p>\n This knowledge enabled them to construct an attack primitive capable of distinguishing valid from invalid kernel addresses.<\/p>\n The SysBumps attack undermines macOS\u2019s core defense against memory corruption exploits by exposing the randomized layout of the kernel.\u00a0<\/p>\n With an average execution time of just three seconds, the attack is both practical and efficient for real-world scenarios.\u00a0<\/p>\n The implications are severe: once KASLR is broken, attackers can more easily exploit other vulnerabilities to gain unauthorized access or execute arbitrary code<\/a>.<\/p>\n The researchers responsibly disclosed their findings to Apple in April 2024. <\/p>\n Apple has acknowledged<\/a> the vulnerability (tracked as CVE-2024-54531) and is investigating mitigation strategies. The study proposes several countermeasures:<\/p>\n Partitioning TLBs: <\/strong>Separating TLB entries for user and kernel processes could eliminate shared contention, reducing side-channel leakage.<\/p>\n Speculative Execution Fencing:<\/strong> Inserting serializing instructions like DSB and ISB before conditional branches can prevent speculative execution of sensitive code paths.<\/p>\n TLB Behavior Modification:<\/strong> Allocating TLB entries for invalid addresses would make it harder for attackers to distinguish valid from invalid addresses.<\/p>\n As Apple continues its transition to ARM-based silicon, addressing vulnerabilities like this will be critical to maintaining user trust and system security.<\/p>\n In light of these findings, macOS users<\/a> are urged to keep their systems updated with the latest security patches as they become available.\u00a0<\/p>\n While no immediate fix exists yet, Apple\u2019s response will likely shape future defenses against speculative execution attacks on custom silicon platforms.<\/p>\n The post KASLR Exploited: Breaking macOS Apple Silicon Kernel Hardening Techniques<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nWhat is KASLR?<\/strong><\/h2>\n
How SysBumps Works<\/strong><\/h2>\n
Mitigations and Industry Response<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcy5sN2BbvO5ExG2M59I2473t1HNcdtAVcTObJkenHvhqTXiGW9DKek6Cezv5-GUeoVPmjgsdWhKqu29fPAvtwZjojszqTHw2CP0eTb29MX50EGK1NmUc2L87UQCxuD6cMUPstnGg?key=6UKE-DGmOeTtcuxXguN4MJIY\")