Comment by vsgherzi

20 hours ago

Upon further reading on data only attacks

(https://www.usenix.org/publications/loginonline/data-only-at...)

This makes more sense. You don't trigger MTE since you're not doing anything for force MTE to take action the program isn't actually changing.

My other question would be, why didn't apple use fbounds checking here? They've been doing it aggressively everywhere else.

MTE plus fbounds checking everywhere should lead to an extremly hardened OS

7 comments

vsgherzi

Reply
pjmlp  19 hours ago

Quite strange indeed, given that was one of the main points on their security conference a few months ago.

  • vsgherzi  19 hours ago

    I can only imagine that

    1. it’s to performance sensitive

    Or

    2. The os is so darn large it’s hard to recompile everything

    • kenferry  12 hours ago

      I worked at Apple for a long time. The OS gets fully recompiled regularly.

      A simultaneous total world build is relatively rare (is that needed here?), but it does happen. Sometimes new compiler versions or features need this.

      2 replies →

aiscoming  16 hours ago

could be a different type of data only attack, which doesnt override the boundaries

  • vsgherzi  16 hours ago

    Well it’s memory corruption so I think it’s pretty safe to assume it’s a bounds issue. I’m not sure if it’s possible to get this with something like type confusion tho I could be wrong here.