A Google Undertaking Zero researcher has detailed a novel method for remotely leaking reminiscence addresses on Apple’s macOS and iOS.
This methodology can bypass a key safety function, Tackle Area Structure Randomization (ASLR), with out counting on conventional reminiscence corruption vulnerabilities or timing-based side-channel assaults.
The analysis originated from a 2024 dialogue inside the Undertaking Zero workforce about discovering new methods to attain distant ASLR leaks on Apple gadgets.
The researcher found a trick relevant to providers that deserialize attacker-provided knowledge, re-serialize the ensuing objects, after which ship the information again.
Whereas no particular, real-world susceptible assault floor was recognized, a proof-of-concept was created utilizing a synthetic check case involving Apple’s NSKeyedArchiver serialization framework on macOS.
The researcher responsibly disclosed the findings to Apple, which addressed the underlying situation in its safety updates on March 31, 2025.
The Assault Mechanism
The method hinges on the predictable habits of information serialization and the inner workings of Apple’s NSDictionary objects, that are basically hash tables.
The assault’s objective is to leak the reminiscence deal with of the NSNull singleton, a novel, system-wide object whose reminiscence deal with is used as its hash worth.
Leaking this hash worth is equal to leaking the item’s deal with, which might undermine ASLR for the shared cache the place it resides.
The assault unfolds in a number of steps:
An attacker first crafts a serialized NSDictionary object. This dictionary accommodates a mixture of NSNumber keys, whose hash values could be managed, and a single NSNull key.
The NSNumber keys are fastidiously chosen to occupy particular “buckets” inside the hash desk, making a recognized sample of crammed and empty slots.
The sufferer software deserializes this object, creating the dictionary in reminiscence. When the appliance re-serializes the item to ship it again, it iterates via the hash desk buckets in a predictable order.
The place of the NSNull key within the returned knowledge reveals which bucket it was positioned in. This leaks partial details about its deal with, particularly the results of the deal with modulo the desk’s dimension.
To reconstruct the total 64-bit deal with, the method employs the Chinese language The rest Theorem. By sending an array of dictionaries of various sizes (every with a distinct prime variety of buckets), an attacker can collect a number of items of details about the deal with.
Combining these outcomes makes it potential to calculate the entire reminiscence deal with of the NSNull singleton, successfully breaking ASLR for that reminiscence area.
This analysis demonstrates that utilizing uncooked object pointers as hash keys in knowledge buildings can result in direct data leaks if the serialized output is uncovered.
In contrast to basic side-channel assaults that measure timing variations, this methodology depends on the deterministic output of the serialization course of.
The researcher suggests essentially the most strong mitigation is to keep away from utilizing object addresses as lookup keys or to hash them with a keyed hash operate to forestall the deal with from being uncovered.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
