A new attack dubbed “SysBumps” has been discovered, targeting macOS systems running on Apple Silicon processors. The attack exploits vulnerabilities in speculative execution, a technique used by modern processors to optimize performance. By manipulating system calls, SysBumps bypasses a critical security feature known as Kernel Address Space Layout Randomization (KASLR), which is designed to make it harder for attackers to predict the memory layout of the kernel. The discovery of this attack marks a significant breakthrough, as it is the first known KASLR break attack on Apple Silicon-based macOS systems.
The researchers, led by Hyerean Jang, Taehun Kim, and Youngjoo Shin from Korea University, used the Translation Lookaside Buffer (TLB) as a side channel to infer kernel memory layout. By employing a prime+probe technique, they successfully mapped out the kernel’s memory space with a remarkable 96.28% accuracy in determining the kernel base address. The attack is particularly concerning because it works even with kernel isolation techniques enabled, highlighting potential weaknesses in current macOS defenses.
What sets SysBumps apart from other speculative execution attacks is its ability to circumvent existing protections on Apple Silicon. The findings underscore the ongoing challenge of balancing performance optimization with security in modern processors. Researchers have proposed several countermeasures to mitigate the attack, including partitioning the TLB between user and kernel space, altering how invalid addresses are handled, and implementing code reordering to prevent speculative execution from targeting sensitive data. These measures, if adopted, could help mitigate the risk of SysBumps and similar attacks in the future.
Apple has acknowledged the researchers’ responsible disclosure and is actively investigating the issue. Although no immediate fix is available, users are advised to stay updated with the latest security patches as Apple works on potential solutions. The SysBumps discovery highlights a growing concern in the security of ARM-based processors, as Apple continues to transition its devices to these chips. It serves as a reminder that securing modern computing systems requires constant vigilance, especially as new vulnerabilities in microarchitecture optimizations continue to emerge.
Reference:
