GoKawiilThe team behind the first public macOS kernel memory corruption exploit on M5 silicon has shared fresh details on how Mythos Preview helped bypass a five-year Apple security effort in five days.
A bit of technical background
Last year, Apple introduced Memory Integrity Enforcement (MIE), a hardware-assisted memory safety system designed to make memory corruption exploits much harder to execute.
As Apple explained, MIE is basically built on Arm’s Memory Tagging Extension (MTE), which is a 2019 specification that works “as a tool for hardware to help find memory corruption bugs.”
Here’s Apple:
MTE is, at its core, a memory tagging and tag-checking system, where every memory allocation is tagged with a secret; the hardware guarantees that later requests to access memory are granted only if the request contains the correct secret. If the secrets don’t match, the app crashes, and the event is logged. This allows developers to identify memory corruption bugs immediately as they occur.
The problem is that Apple found that MTE wasn’t robust enough under certain circumstances, so it developed MIE and built it “into Apple hardware and software in all models of iPhone 17 and iPhone Air.”
To sum up, MIE is Apple’s hardware-assisted memory safety system. It is built on Arm’s MTE specification and uses the chip itself to help detect and block certain memory corruption attacks before they can be exploited.
You can learn more about MIE here.
Enter, the Calif team
... continue reading