Google Project Zero Details ASLR Bypass on Apple Devices Using NSDictionary Serialization
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A Google Project Zero researcher has detailed a novel technique for remotely leaking memory addresses on Apple\u2019s macOS and iOS.<\/p>\n
This method can bypass a key security feature, Address Space Layout Randomization (ASLR)<\/a>, without relying on traditional memory corruption vulnerabilities or timing-based side-channel attacks.<\/p>\n The research originated from a 2024 discussion within the Project Zero team about finding<\/a> new ways to achieve remote ASLR leaks on Apple devices.<\/p>\n The researcher discovered a trick applicable to services that deserialize attacker-provided data, re-serialize the resulting objects, and then send the data back.<\/p>\n While no specific, real-world vulnerable attack surface was identified, a proof-of-concept was created using an artificial test case involving Apple\u2019s The researcher responsibly disclosed the findings to Apple, which addressed the underlying issue in its security updates on March 31, 2025.<\/p>\n The technique hinges on the predictable behavior of data serialization and the internal workings of Apple\u2019s The attack\u2019s goal is to leak the memory address of the Leaking this hash value is equivalent to leaking the object\u2019s address, which would undermine ASLR for the shared cache where it resides.<\/p>\n The attack unfolds in several steps:<\/p>\n To reconstruct the full 64-bit address, the technique employs the Chinese Remainder Theorem. By sending an array of dictionaries of varying sizes (each with a different prime number of buckets), an attacker can gather multiple pieces of information about the address.<\/p>\n Combining these results makes it possible to calculate the complete memory address of the This research demonstrates that using raw object pointers as hash keys in data structures can lead to direct information leaks if the serialized output is exposed.<\/p>\n Unlike classic side-channel attacks<\/a> that measure timing differences, this method relies on the deterministic output of the serialization process.<\/p>\n The researcher suggests the most robust mitigation is to avoid using object addresses as lookup keys or to hash them with a keyed hash function to prevent the address from being exposed.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Google Project Zero Details ASLR Bypass on Apple Devices Using NSDictionary Serialization<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNSKeyedArchiver<\/code> serialization framework on macOS.<\/p>\nThe Attack Mechanism<\/strong><\/h2>\n
NSDictionary<\/code> objects, which are essentially hash tables.<\/p>\nNSNull<\/code> singleton, a unique, system-wide object whose memory address is used as its hash value.<\/p>\n\n
NSDictionary<\/code> object. This dictionary contains a mix of NSNumber<\/code> keys, whose hash values can be controlled, and a single NSNull<\/code> key.<\/li>\nNSNumber<\/code> keys are carefully chosen to occupy specific \u201cbuckets\u201d within the hash table, creating a known pattern of filled and empty slots.<\/li>\nNSNull<\/code> key in the returned data reveals which bucket it was placed in. This leaks partial information about its address, specifically the result of the address modulo the table\u2019s size.<\/li>\n<\/ul>\nNSNull<\/code> singleton, effectively breaking ASLR for that memory region.<\/p>\n