Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Google Project Zero Researcher Reveals How to Bypass ASLR on macOS and iOS

Redazione RHC : 29 September 2025 08:45

A researcher on Google’s Project Zero team has revealed a new method for remotely exfiltrating memory addresses on Apple’s macOS and iOS operating systems. The research stemmed from a 2024 discussion within the Project Zero team about finding new ways to remotely leak ASLR on Apple devices.

One method discovered by the researcher appears to be applicable to services that accept attacker-provided data and deserialize it, then reserialize the resulting objects and send the data back. This method can bypass a key security feature , Address Space Layout Randomization (ASLR) , without resorting to traditional memory corruption vulnerabilities or timing-based side-channel attacks.

Unlike traditional side-channel attacks that measure time differences, this method relies on the deterministic output of the serialization process. While no specific, real-world vulnerable attack surface has been identified, a proof-of-concept was created using an artificial test case involving NSKeyedArchiver, Apple’s serialization framework on macOS.

The technique relies on the predictable behavior of data serialization and the internal workings of Apple NSDictionary objects, which are essentially hash tables. The attack aims to leak the memory address of the NSNullsingleton, a system-wide, unique object whose memory address is used as the hash value.

Leaking this hash value is equivalent to leaking the object’s address, which would compromise ASLR for the shared cache it resides in. The attack involves several stages:

  • An attacker first creates a serialized NSDictionary object. This dictionary contains a mix of NSNumbers , a key whose hash values can be inspected, and a single NSNull .
  • NSNumber keys are carefully chosen to occupy specific “buckets” within the hash table, creating a known pattern of filled and empty slots.
  • The victim application deserializes this object, creating the dictionary in memory. When the application reserializes the object to resend it, it iterates through the hash table buckets in a predictable order.
  • The position of the NSNull key in the returned data reveals which bucket it was placed in. This reveals partial information about its address, specifically the address result modulo the table size.

This research demonstrates that using raw object pointers as hash keys in data structures can lead to direct information leakage if the serialized output is exposed.

Avoiding using object addresses as lookup keys or applying a keyed hash function to them to prevent address exposure is, according to the researcher, the most effective mitigation measure.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli