1. 5
  1. 18

    Sorry the article is so vague; I couldn’t find a better, more technical post. The meat of this story is that, in iOS 14.5, pointer authentication (literally signing pointers in memory) is being extended to the “isa” pointer located at offset 0 in every Objetive-C object. This points to the object’s class data (sorta like a C++ object’s vtable pointer.) Signing this pointer prevents unauthorized swizzling — changing the class of an existing object — which is a very powerful way to change behavior, and apparently widely used in iOS hacking.

    I actually had never heard of pointer signing before. It sounded crazy to put a MAC in the high bits of a pointer and verify it while dereferencing, but it’s done in hardware by the CPU which I guess makes it fast enough to be practical.

    1. 1

      It’s interesting that they’re doing this with the isa pointer, because Apple is already stealing all of the bits that PAC uses for a bunch of other things in Objective-C (inline ref count, for example).

      1. 1

        Also known as memory tagging. It’s also a feature for new ARM chipsets.

        1. 9

          PAC and MTE are not the same thing.

          PAC is a extension that signs pointers whereas MTE adds tags to pointers and memory regions.

          PAC is an ARMv8.3 extension; MTE is an ARMv8.5 extension.

          1. 1

            Oops. Thanks, Alex :)