Security researchers have uncovered a novel attack targeting macOS systems running on Apple Silicon processors. Dubbed “SysBumps,” this attack exploits speculative execution vulnerabilities in system calls to bypass kernel isolation and break Kernel Address Space Layout Randomization (KASLR), a critical security feature.
The research team from Korea University, led by Hyerean Jang, Taehun Kim, and Youngjoo Shin, presented their findings in a paper titled “SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple Silicon.”
Their work represents the first successful KASLR break attack on macOS systems powered by Apple’s custom ARM-based chips.
KASLR is a defense mechanism that randomizes the memory layout of the kernel, making it harder for attackers to predict the location of specific functions or data structures.
By breaking KASLR, malicious actors can potentially exploit other vulnerabilities more easily, compromising system security.
SysBumps attack
The SysBumps attack leverages speculative execution, a performance optimization technique used in modern processors.
By exploiting Spectre-type vulnerabilities in certain macOS system calls, the researchers demonstrated that an unprivileged attacker could cause transient memory accesses to kernel addresses, even with kernel isolation enabled.
A key component of the attack involves using the Translation Lookaside Buffer (TLB) as a side channel to infer information about the kernel’s memory layout. The research team reverse-engineered the TLB structure of various M-series processors, uncovering previously unknown details about its architecture.
The attack works by constructing a distinguishing oracle that can determine whether a given kernel address is valid or not. This allows attackers to gradually map out the kernel’s memory space and ultimately determine its base address, effectively breaking KASLR.
How SysBumps Works
- Exploiting Speculative Execution: Certain macOS system calls perform validation checks on user-supplied arguments. By deliberately mistraining branch predictors, SysBumps induces the speculative execution of invalid inputs. This transient execution accesses kernel addresses, leaving detectable traces in the TLB if the address is valid.
- TLB Side-Channel Analysis: The attack uses a prime+probe technique to monitor TLB state changes. By measuring access latency, attackers can distinguish between valid and invalid kernel addresses.
- Breaking KASLR: Using this method, SysBumps identifies valid kernel address regions and calculates the kernel base address with high accuracy. Tests showed an average success rate of over 96% across various Apple Silicon processors.
The researchers successfully demonstrated the SysBumps attack across different M-series processors and macOS versions in their experiments.
The attack achieved an average accuracy of 96.28% in determining the kernel base address, with execution times of around 3 seconds.
What makes SysBumps particularly concerning is its ability to bypass existing kernel isolation techniques implemented in macOS. This highlights the ongoing challenges in securing modern operating systems against sophisticated side-channel attacks.
The discovery of SysBumps raises important questions about the security of Apple’s custom silicon and the effectiveness of current protection mechanisms.
As Apple continues to transition its product line to ARM-based processors, addressing such vulnerabilities becomes increasingly critical.
The researchers have responsibly disclosed their findings to Apple, who acknowledged the issue and are investigating its root cause.
To mitigate the SysBumps attack, the paper proposes several potential countermeasures. These include partitioning the data TLB between user and kernel space, modifying TLB behavior for invalid addresses, and employing code reordering techniques to prevent speculative execution of sensitive instructions.
As the tech industry grapples with the security implications of speculative execution and other microarchitectural optimizations, research like this serves as a reminder of the constant need for vigilance and innovation in cybersecurity.
The SysBumps attack underscores the complexity of securing modern computing systems, where performance optimizations can often lead to unexpected security vulnerabilities.
As Apple and other tech giants continue to push the boundaries of processor design, balancing performance and security remains an ongoing challenge.
Users of macOS systems, particularly those running on Apple Silicon, are advised to keep their systems updated with the latest security patches as they become available. While no immediate fix is available, Apple is likely to address this vulnerability in future software updates.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free