top | item 31696128

(no title)

jprx | 3 years ago

Hi! I think I can clear a few things up here.

Our goal is to demonstrate that we can learn the PAC for a kernel pointer from userspace. Just demonstrating that this is even possible is a big step in understanding of how mitigations like pointer authentication can be thought of in the spectre era.

We do not aim to be a zero day, but instead aim to be a way of thinking about attacks/ an attack methodology.

The timer used in the attack does not require a kext (we just use the kext for doing reverse engineering) but the attack itself never uses the kext timer. All of the attack logic lives in userspace.

Provided the attacker finds a suitable PACMAN Gadget in the kernel (and the requisite memory corruption bug), they can conduct our entire attack from userspace with our multithread timer. You are correct that the PACMAN Gadget we demonstrate in the paper does live in a kext we created, however, we believe PACMAN Gadgets are readily available for a determined attacker (our static analysis tool found 55,159 potential spots that could be turned into PACMAN Gadgets inside the 12.2.1 kernel).

Our paper is available at our website: https://pacmanattack.com/paper.pdf

discuss

ben7799|3 years ago

Something definitely went wrong here though that more guidance was not provided to the tech journalists.

Most of the mainstream articles make it seem like they a) did not read the paper b) are incapable of understanding the paper c) were not provided any guidance about what any of this actually means in the real world.

Which is all scary as the paper is well written and very accessible IMO.

bee_rider|3 years ago

Based on the article, I think the journalist basically understands the situation (and if they don't, they should investigate further, that's the job). The headline is just intentionally over-dramatic to get clicks. This shouldn't be treated as a good-faith error, more guidance isn't required and wouldn't help.

TrevorJ|3 years ago

>Most of the mainstream articles make it seem like they a) did not read the paper b) are incapable of understanding the paper

This seems pretty par for the course in terms of science/tech journalism to be honest.

nomel|3 years ago

> It's kind of ridiculous it's getting this kind of press

> Something definitely went wrong here though

Both of these have the same reason: it's about Apple. I know someone that avoids telling people that they work at Apple, to avoid similar drama.

marcosdumay|3 years ago

a) did not read the paper

Yeah, that's a given. Journalists do not have time for optional tasks.

b) are incapable of understanding the paper

That's a safe bet.

c) were not provided any guidance

Asking for guidance or clarifications is another one of those optional tasks.

azinman2|3 years ago

Welcome to tech journalism.

nl|3 years ago

The Techcrunch article is well written and I thought summarises this rather well.

The headline is pretty reasonable too. Apple can't patch this, and as other commentators point out subsequent attack techniques are only going to make this flaw worse.

ksec|3 years ago

Everything you listed are at the very end of the list of things that matter to modern day Journalist. If they even make the list.

But reading your comment does sort of put a smile on my face though. The what others would called a non-cynical world view.

jazzyjackson|3 years ago

d) were given about 90 minutes to write the article

slime3377|3 years ago

95% of journalism is at this level of understanding for anything non liberal arts that is commonly offered as a 4 year degree, and has been for as long as journalism has existed.

fulafel|3 years ago

I really sympathise how your research is being misunderstood based on the reporting and responses to the press stuff missing the main point. And everyone equating modern ARM with "M1".. Anyway, awesome work! Let's hope pointer authentication gets a thorough treatment from the research community and you and other people can build further exciting results on your work!

vinay_ys|3 years ago

Given there are "55,159 potential spots that could be turned into PACMAN Gadgets" do you think it is highly probably this attack is now part of a zero-day kill-chain?

ungamed|3 years ago

100% chance.

KennyBlanken|3 years ago

You didn't clear up anything about publicizing this heavily in mainstream press before it's been reviewed by your peers.

elseless|3 years ago

It has been reviewed by the author’s peers — it was accepted to ISCA ‘22.

nostrebored|3 years ago

What are you hoping for here? Look at the facts as written.