1. 5
    Apple Is Going to Make It Harder to Hack iPhones With Zero-Click Attacks ios security vice.com
    snej avatar via snej 2 years ago |
    Archive.org Archive.today Ghostarchive
    | 5 comments
  1. 18
    snej avatar snej 2 years ago | link

    Sorry the article is so vague; I couldn’t find a better, more technical post. The meat of this story is that, in iOS 14.5, pointer authentication (literally signing pointers in memory) is being extended to the “isa” pointer located at offset 0 in every Objetive-C object. This points to the object’s class data (sorta like a C++ object’s vtable pointer.) Signing this pointer prevents unauthorized swizzling — changing the class of an existing object — which is a very powerful way to change behavior, and apparently widely used in iOS hacking.

    I actually had never heard of pointer signing before. It sounded crazy to put a MAC in the high bits of a pointer and verify it while dereferencing, but it’s done in hardware by the CPU which I guess makes it fast enough to be practical.

    1. 1
      david_chisnall avatar david_chisnall 2 years ago | link

      It’s interesting that they’re doing this with the isa pointer, because Apple is already stealing all of the bits that PAC uses for a bunch of other things in Objective-C (inline ref count, for example).

      1. 1
        freddyb avatar freddyb 2 years ago | link

        Also known as memory tagging. It’s also a feature for new ARM chipsets.

        1. 9
          alex_gaynor avatar alex_gaynor 2 years ago | link

          PAC and MTE are not the same thing.

          PAC is a extension that signs pointers whereas MTE adds tags to pointers and memory regions.

          PAC is an ARMv8.3 extension; MTE is an ARMv8.5 extension.

          1. 1
            freddyb avatar freddyb 2 years ago | link

            Oops. Thanks, Alex :)