Sorry the article is so vague; I couldn’t find a better, more technical post. The meat of this story is that, in iOS 14.5, pointer authentication (literally signing pointers in memory) is being extended to the “isa” pointer located at offset 0 in every Objetive-C object. This points to the object’s class data (sorta like a C++ object’s vtable pointer.) Signing this pointer prevents unauthorized swizzling — changing the class of an existing object — which is a very powerful way to change behavior, and apparently widely used in iOS hacking.
I actually had never heard of pointer signing before. It sounded crazy to put a MAC in the high bits of a pointer and verify it while dereferencing, but it’s done in hardware by the CPU which I guess makes it fast enough to be practical.
It’s interesting that they’re doing this with the isa pointer, because Apple is already stealing all of the bits that PAC uses for a bunch of other things in Objective-C (inline ref count, for example).
Also known as memory tagging. It’s also a feature for new ARM chipsets.
PAC and MTE are not the same thing.
PAC is a extension that signs pointers whereas MTE adds tags to pointers and memory regions.
PAC is an ARMv8.3 extension; MTE is an ARMv8.5 extension.
Oops. Thanks, Alex :)