
Examining Pointer Authentication on the iPhone XS - phenylene
https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html?m=1
======
bepvte
I love project zeros write-ups, but I wish they published more about Android.

~~~
close04
I remember seeing more Google product related articles on their blog up until
a couple of years ago. Then they stopped or slowed down, or at least they seem
to concentrate a lot more on Apple and Microsoft. I guess some bugs are
disclosed internally and fixed before they go public and some may not warrant
blog posts.

I am sure they're working on finding bugs in Google code but just like any
other company they're not going to shoot themselves in the foot by advertising
these internal findings more than needed.

~~~
zamadatix
Just to take a look I opened the Project Zero main blog page and the newest
article was on a bug in
[https://github.com/google/skia/](https://github.com/google/skia/) so I'm not
sure I can take your comment with any ounce of credibility.

------
stefan_
So Apple publishes some kernel source code under a license that basically only
permits you to look at it, presumably for security researchers. Apple then
also redacts security related code from the published code, going so far as to
partially redact functions, only making them appear complete. Weaknesses are
then found, of course, in code they redacted.

Feeling a bit schizophrenic here.

~~~
profquail
I didn’t see the article say anything about redacting code? The XNU kernel
(used in macOS and iOS) is open-source and has been for some time:
[https://github.com/apple/darwin-xnu](https://github.com/apple/darwin-xnu)

My reading of the article was that Apple has some custom logic in the A12 (for
the implementation of the pointer authentication extensions) and have made
some (unreleased) modifications to the XNU code to utilize that custom logic.
The article is the author reverse-engineering the unreleased modifications and
working out how they interact with the A12, to try to discover exploitable
weaknesses in the implementation.

~~~
csande17
From the article:

> The part [of the comments in the released source] about the "pointer"
> containing authenticated, hasBKey, and hasDKey bits suggests that this code
> is dealing with authenticated pointers, although all the code that actually
> performs PAC operations has been removed from the public sources.

The researcher suspects Apple started with a version of the XNU code that
supported the A12 logic, then removed the lines of code that actually
performed the operations before publicly releasing it. In other words, Apple
redacted security-related parts of the XNU source.

To me, at least, that's different from Apple creating a new XNU version that
supports pointer authentication and not releasing it at all.

