A Google Project Zero researcher has detailed a novel technique for remotely leaking memory addresses on Apple’s macOS and iOS.
This method can bypass a key security feature, Address Space Layout Randomization (ASLR), without relying on traditional memory corruption vulnerabilities or timing-based side-channel attacks.
The research originated from a 2024 discussion within the Project Zero team about finding new ways to achieve remote ASLR leaks on Apple devices.
The researcher discovered a trick applicable to services that deserialize attacker-provided data, re-serialize the resulting objects, and then send the data back.
While no specific, real-world vulnerable attack surface was identified, a proof-of-concept was created using an artificial test case involving Apple’s NSKeyedArchiver serialization framework on macOS.
The researcher responsibly disclosed the findings to Apple, which addressed the underlying issue in its security updates on March 31, 2025.
The Attack Mechanism
The technique hinges on the predictable behavior of data serialization and the internal workings of Apple’s NSDictionary objects, which are essentially hash tables.
The attack’s goal is to leak the memory address of the NSNull singleton, a unique, system-wide object whose memory address is used as its hash value.
Leaking this hash value is equivalent to leaking the object’s address, which would undermine ASLR for the shared cache where it resides.
The attack unfolds in several steps:
- An attacker first crafts a serialized
NSDictionaryobject. This dictionary contains a mix ofNSNumberkeys, whose hash values can be controlled, and a singleNSNullkey. - The
NSNumberkeys are carefully chosen to occupy specific “buckets” within the hash table, creating a known pattern of filled and empty slots. - The victim application deserializes this object, creating the dictionary in memory. When the application re-serializes the object to send it back, it iterates through the hash table buckets in a predictable order.
- The position of the
NSNullkey in the returned data reveals which bucket it was placed in. This leaks partial information about its address, specifically the result of the address modulo the table’s size.
To reconstruct the full 64-bit address, the technique employs the Chinese Remainder Theorem. By sending an array of dictionaries of varying sizes (each with a different prime number of buckets), an attacker can gather multiple pieces of information about the address.
Combining these results makes it possible to calculate the complete memory address of the NSNull singleton, effectively breaking ASLR for that memory region.
This research demonstrates that using raw object pointers as hash keys in data structures can lead to direct information leaks if the serialized output is exposed.
Unlike classic side-channel attacks that measure timing differences, this method relies on the deterministic output of the serialization process.
The researcher suggests the most robust mitigation is to avoid using object addresses as lookup keys or to hash them with a keyed hash function to prevent the address from being exposed.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
