First Public macOS Kernel Memory Corruption Exploit On Apple Silicon M5

Posted by CircumspectCapybara@reddit | programming | View on Reddit | 2 comments

[-]

CircumspectCapybara@reddit (OP)

Absolutely fascinating exploit chain, especially how they bypass MTE, PAC, and all the Memory Integrity Enforcement features Apple's cooked up.

From the writeup:

But mitigations are not cheap. If performance didn’t matter, many security problems would be easy to solve. Apple is smart and controls the full stack, so they pushed many of these defenses directly into hardware and made bypassing them significantly harder. Many security experts consider Apple devices to be the most secure consumer platform.

The latest flagship example is MIE (Memory Integrity Enforcement), Apple’s hardware-assisted memory safety system built around ARM’s MTE (Memory Tagging Extension). It was introduced as the marquee security feature for the Apple M5 and A19, specifically designed to stop memory corruption exploits, the vulnerability class behind many of the most sophisticated compromises on iOS and macOS.

Apple spent five years building it. Probably billions of dollars too. According to their research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword exploit kits.

We’ve been on a fun journey exploring how AI can help build exploits that still work under MTE. While Apple’s focus is primarily iOS, they also brought MIE to the M5, the chip powering the latest MacBooks.

[...]

To the best of our knowledge, this is the first public macOS kernel exploit on MIE hardware. Again, we’ll publish our 55-page report after Apple ships a fix.

MIE was never meant to be hacker-proof. With the right vulnerabilities, it can be evaded. As we’ve shown throughout the MAD Bugs series, AI systems are already discovering more and more vulnerabilities. It’s inevitable that some of those bugs will eventually be powerful enough to survive even advanced mitigations like MIE. This is exactly what we just discovered.

This work is a glimpse of what is coming. Apple built MIE in a world before Mythos Preview. We’re about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon.

Mythos seems like it's on a roll lately...