Security researchers from Korea University have unveiled an attack that successfully bypasses Kernel Address Space Layout Randomization (KASLR) on macOS running on Apple Silicon processors. Dubbed “SysBumps”, this attack exploits speculative execution vulnerabilities in macOS system calls, allowing unprivileged attackers to infer kernel addresses and defeat one of macOS’s most fundamental security defenses.
The vulnerability, tracked as CVE-2024-54531, allows an app to bypass KASLR, effectively revealing the kernel’s memory layout. This flaw leverages speculative execution during system calls, a previously unexploited weakness in Apple’s kernel isolation implementation.
KASLR is a crucial kernel hardening mechanism that randomizes memory addresses to prevent attackers from easily locating key system structures. Apple has reinforced KASLR in macOS for Apple Silicon with kernel isolation, separating user-space and kernel-space address layouts. However, SysBumps takes advantage of a critical flaw in speculative execution during system calls, breaking KASLR with 96.28% accuracy across Apple’s M-series processors.
“By using Spectre-type gadgets in system calls, an unprivileged attacker can cause translations of the attacker’s chosen kernel addresses, causing the TLB to change according to the validity of the address,” the researchers explained.
The SysBumps attack involves a multi-stage process:
- Triggering Speculative Execution: Attackers craft malicious system calls that exploit speculative execution to bypass kernel address validation checks.
- TLB Probing: By reverse-engineering the TLB architecture, attackers can probe the TLB state to determine the validity of kernel addresses.
- Revealing Kernel Layout: Through repeated TLB probing, attackers can deduce the base addresses of kernel components, effectively breaking KASLR.
The SysBumps attack has been successfully tested on multiple Apple Silicon devices and macOS versions:
- Affected Apple Silicon Devices:
- M1, M1 Pro, M2, M2 Pro, M2 Max, M3, M3 Pro
- Affected macOS Versions:
- 13.1 – 15.1 (earlier versions may also be vulnerable but remain untested)
Researchers published a proof-of-concept (PoC) exploit on GitHub, raising concerns about potential real-world attacks leveraging the CVE-2024-54531 vulnerability.
Apple has addressed this vulnerability in macOS Sequoia 15.2 with improved memory handling. Users are urged to update their systems immediately to mitigate the risk of exploitation.
With a proof-of-concept exploit already available, organizations using macOS in sensitive environments should prioritize patching to prevent potential exploitation. Cybercriminals and APT groups could weaponize this technique for stealthy, highly targeted attacks.
Related Posts:
- Researcher found new variant of spectre security flaw
- Microsoft Tackles Speculative Execution Security with New PowerShell Script
- Intel pays $100,000 in prize money for new Spectre variant discoverers
- Microsoft will pay $250,000 in bonuses to find flaws like Meltdown and Spectre
