Google Project Zero Reveals ASLR Bypass on Apple Devices Through NSDictionary Serialization

A researcher from Google’s Project Zero has unveiled an innovative approach for surreptitiously leaking memory addresses on Apple’s macOS and iOS platforms.

This technique circumvents a crucial security mechanism, known as Address Space Layout Randomization (ASLR), without resorting to conventional memory corruption flaws or timing-centric side-channel attacks.

This research was sparked during a discussion in 2024 among the Project Zero team, focusing on discovering new methodologies for eliciting remote ASLR leaks from Apple devices.

The researcher uncovered a tactic applicable to services that deserialize externally provided data, re-serialize the resultant objects, and then return the data.

While no specific real-world vulnerability was identified, a proof-of-concept was developed utilizing an artificial test case that employed Apple’s NSKeyedArchiver serialization framework on macOS.

The researcher responsibly informed Apple about the findings, which subsequently addressed the underlying vulnerabilities in its security updates released on March 31, 2025.

The Attack Mechanism

The technique exploits the predictable nature of data serialization along with the internal architecture of Apple’s NSDictionary objects, which function akin to hash tables.

The primary objective of the attack is to leak the memory address of the NSNull singleton, a unique, globally recognized object whose memory address serves as its hash value.

Leaking this hash value equates to disclosing the object’s address, thereby undermining ASLR for the shared cache in which it is stored.

The execution of the attack proceeds in several stages:

• An attacker initially constructs a serialized NSDictionary object composed of a mix of controllable NSNumber keys and a singular NSNull key.
  
• The NSNumber Keys are meticulously selected to inhabit specific “buckets” within the hash table, thereby creating a recognizable pattern of occupied and vacant slots.
  
• Upon deserialization by the victim application, the object is constructed in memory. When the application re-serializes the object for transmission, it iterates through the hash table buckets in a predetermined sequence.
  
• The position of the NSNull key within the returned data discloses its bucket allocation, inadvertently leaking partial information regarding its address, specifically the address modulo the table’s size.

To reconstruct the complete 64-bit address, this technique leverages the Chinese Remainder Theorem. By dispatching an array of dictionaries of differing sizes—each containing a distinct prime number of buckets—an attacker can compile multiple fragments of information pertaining to the address.

Integrating these results enables the calculation of the full memory address of the NSNull singleton, effectively compromising ASLR in that memory region.

This investigation illustrates that employing raw object pointers as hash keys within data structures can result in direct information leaks if the serialized output is made public.

In contrast to traditional side-channel attacks that depend on timing discrepancies, this method capitalizes on the deterministic nature of the serialization process.

The researcher recommends that the most effective mitigation strategy is to refrain from using object addresses as lookup keys or to protect them through a keyed hash function to prevent exposure.

Source link: Cybersecuritynews.com.