I’m not convinced of the risk of this particular attack - it seems the amount of system control required, and the nature of the kernel exploits required (the attack is to bypass a PAC auth blocking an exploit).
However, I just want to point out, as I misunderstood initially: The paper uses a kext as part of the attack - that kext is not needed to launch this attack, it is only used in this case as the paper was not interested in finding an existing exploit in xnu (that might get a website, but probably not a publication). Instead the kext is just there to provide the required primitives to demonstrate that the paper’s attack works.
Note that I had submitted the paper here originally, but the paper was removed. The original lobsters link: https://people.csail.mit.edu/weontaek/pubs/PACMAN_ISCA22.pdf
I’m not convinced of the risk of this particular attack - it seems the amount of system control required, and the nature of the kernel exploits required (the attack is to bypass a PAC auth blocking an exploit).
However, I just want to point out, as I misunderstood initially: The paper uses a kext as part of the attack - that kext is not needed to launch this attack, it is only used in this case as the paper was not interested in finding an existing exploit in xnu (that might get a website, but probably not a publication). Instead the kext is just there to provide the required primitives to demonstrate that the paper’s attack works.