TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

0% Positive

Analyzed from 271 words in the discussion.

Trending Topics

#memory#mte#apple#data#checking#tagging#exploit#bug#access#https

Discussion (10 Comments)Read Original on HackerNews

yieldcrv18 minutes ago
from what they demonstrated, this seems to only be a $100,000 exploit in Apple's bug bounty platform, but if they package it right, it could be a $1.5 million exploit

They simply have to show it against a beta version of MacOS, and frame it as unauthorized access, and maybe from locked mode if possible

vsgherziabout 2 hours ago
unfortunately a little light on the details. I'm very curious how the bug survived through MTE
vsgherziabout 2 hours ago
Upon further reading on data only attacks

(https://www.usenix.org/publications/loginonline/data-only-at...)

This makes more sense. You don't trigger MTE since you're not doing anything for force MTE to take action the program isn't actually changing.

My other question would be, why didn't apple use fbounds checking here? They've been doing it aggressively everywhere else.

MTE plus fbounds checking everywhere should lead to an extremly hardened OS

pjmlpabout 1 hour ago
Quite strange indeed, given that was one of the main points on their security conference a few months ago.
vsgherzi20 minutes ago
I can only imagine that

1. it’s to performance sensitive

Or

2. The os is so darn large it’s hard to recompile everything

landr0idabout 2 hours ago
GPU memory/shaders/etc. isn't protected by MTE or PAC. They said "data-only", so I guess GPU commands could fit into this description.
dorianmariecomabout 2 hours ago
Memory Tagging Extension

Arm published the Memory Tagging Extension (MTE) specification in 2019 as a tool for hardware to help find memory corruption bugs. MTE is a memory tagging and tag-checking system, where every memory allocation is tagged with a secret. The hardware guarantees that later requests to access memory are granted only if the request contains the correct secret. If the secrets don’t match, the app crashes, and the event is logged. This allows developers to identify memory corruption bugs immediately as they occur.

https://support.apple.com/guide/security/operating-system-in...

AgentMEabout 1 hour ago
First Mozilla, now even Apple is making up fake vulnerabilities to hype up Mythos. /s
baq27 minutes ago
Cisco put up a totally bogus 10.0 CVE just for this reason, too
bredrenabout 1 hour ago
Did the article get edited? There is not much description of the field trip.