Google Project Zero has revealed a new technique capable of bypassing Address Space Layout Randomization (ASLR) protections on Apple devices. The finding, published by security researcher Jann Horn, stresses a novel way attackers could exploit deterministic behaviors in Apple’s serialization framework, specifically within NSKeyedArchiver and NSKeyedUnarchiver, to leak pointer values without triggering conventional memory safety flaws or using timing side channels.
Decoding the ASLR Bypass Vulnerability
The vulnerability lies in a subtle interaction between singleton objects, pointer-based hash values, and how NSDictionary serializes its contents. When an application deserializes attacker-controlled data, re-serializes it, and returns the result, a specific three-step pattern, it’s possible for the attacker to infer memory addresses of shared objects. This pattern becomes particularly dangerous when involving objects like NSNull, a singleton instance implemented in Apple’s Core Foundation (CFNull).
Horn’s write-up explains that NSNull’s hash value defaults to its memory address. Because this singleton resides at a fixed location within the system’s shared cache, it acts as an oracle, allowing an attacker to extract address information, effectively defeating ASLR.
Exploiting Serialization Behavior
Horn elaborated on how an attacker can craft serialized input using carefully selected NSNumber keys. These keys are hashed in a predictable way, allowing precise control over where they land in the internal hash table buckets of NSDictionary. Since NSDictionary uses probing hash tables with a prime-numbered bucket count and preserves insertion order during serialization, it’s possible to deduce where specific keys end up.
By combining this with the presence of an NSNull key, the attacker can determine where NSNull was placed in the serialized data. The key position reveals the result of hash_code % num_buckets, from which the attacker can begin reconstructing the pointer value of NSNull.
To escalate this technique, the attacker repeats the process using hash tables of various prime sizes, such as 23, 41, 71, and up to 1087 buckets. Through the Extended Euclidean Algorithm, they calculate the actual pointer value of the NSNull singleton, eventually determining its address precisely.
Practical Demonstration and Limitations
While no production-level service was identified that directly follows this deserialize–reserialize–return pattern in the wild, Horn created a testbed to demonstrate the feasibility. The proof-of-concept used an NSArray containing multiple NSDictionary objects, each constructed to target specific hash table sizes and bucket configurations.
The attacker-side tooling generated serialized input (~50 KiB in size), while the victim-side process re-serialized the data. Upon retrieving the result, the attacker could then determine in which bucket NSNull had landed in each dictionary and compute its memory address.
Despite its complexity, the attack’s implications are clear. It shows that ASLR can be undermined even without traditional bugs, simply through deterministic object behavior in serialization paths.
Apple’s Response and Mitigation
Apple addressed the issue in its March 31, 2025, security updates. Project Zero did not open a public bug tracker entry, citing the absence of an immediate attack surface. Still, Horn emphasized that any serialization framework should avoid using raw memory addresses as hash values, especially when those addresses are stable and accessible across processes.
He also recommended strict type allowlisting during deserialization, avoiding reserialization of attacker-controlled data, and not exposing serialized outputs across trust boundaries. These principles mirror long-standing best practices for defending against deserialization vulnerabilities.
A Broader View on Pointer Leaks
Horn connected this vulnerability to earlier academic research, including the 2011 hashDoS attacks that demonstrated how attackers can exploit predictable hashing to degrade performance. However, unlike hashDoS, this new method exploits hash order determinism for information leakage rather than denial-of-service.
He also referred to prior Google Project Zero findings on partial pointer leaks and ordering-based information disclosure, noting that the current technique generalizes those insights. Rather than relying on memory corruption or timing analysis, this vector uses the standard behavior of pointer-keyed collections in Apple’s frameworks.
