
Splitting atoms in XNU - wardn
https://googleprojectzero.blogspot.com/2019/04/splitting-atoms-in-xnu.html
======
eljimmy
Blows my mind that there’s people who figure this stuff out. Do they just
spend their day to day time at work attempting all sorts of variations of this
kind of stuff? How often does discovery or research like this lead to a dead
end?

~~~
onemoresoop
Apple pays handsomely for bugs, they have a bug bounty program (1). At some
point there are fewer and fewer exploits and the system becomes harder to
crack. All companies who care about security should have security bounty
programs.

[https://motherboard.vice.com/en_us/article/qvapxq/apple-
ipho...](https://motherboard.vice.com/en_us/article/qvapxq/apple-iphone-bug-
bounty-payments)

~~~
giobox
So long as it’s an iOS bug of course... the situation with macOS is pretty
absurd.

------
Someone
_”Quickly dropping a very important lock and retaking it is a common anti-
pattern I 've observed across the XNU codebase

[…]

This is trying to detect whether another thread acquired and dropped the lock
while this thread dropped it then reacquired it. If so, the code checks
whether there's still a vm_map_entry covering the current address its trying
to copy and then bails out and looks up the entry again.”_

I find that disconcerting. Apparently, the writers of this didn’t have a clear
model of what locks are needed where, or (worse) they had a model, but knew it
didn’t work.

Anybody writing that code should have seen this coming.

~~~
londons_explore
Any sufficiently complex software will at some point require dropping and
reacquiring a lock.

The trick is you have to assume everything changed under you when you dropped
the lock, and recheck everything

------
Sendotsh
That first paragraph is a ride and a half.

Props to Project Zero. There's some seriously talented people on than crew.

~~~
adtac
Indeed, the most impressive part of this is that it's actually half a dozen
different exploits carefully chained together to produce the final result. I
can't even imagine the amount of perseverance required for each single sub-
exploit. Mad props.

------
the_fonz
I constantly get a kernal panic on multiple machines under heavy load of the
sort of _trying to interlock destroyed mutex_ from within, according to the
backtrace, com.metakine.handsoff.driver. I'm wondering if it's exploitable.

~~~
jmah
Is that a third party kernel extension? Sounds like a buggy one if so, and if
it’s this
<[https://www.oneperiodic.com/products/handsoff/>](https://www.oneperiodic.com/products/handsoff/>)
then it might be lessening security instead of increasing it.

~~~
anonlapwarmer
Yeap. I wouldn't say lessening unilaterally but with the nuance of changing
the attack surface in different areas. IIRC "Hands Off!" is a firewall and an
app firewall that can selectively limit disk and network access.

------
pjmlp
Great deep dive into iOS use of tagged memory, and a good example that
security needs to go all the way down the stack to actually be effective.

------
tdhz77
That is one contrived exploit.

------
mythz
That TL;DR is super condensed...

------
subcosmos
Why did they post this on April Fools?

At first I thought this was a convoluted HalfLife reference [https://half-
life.fandom.com/wiki/Xen](https://half-life.fandom.com/wiki/Xen)

------
xiphias2
It would be interesting to see how many of these bugs would be possible if an
operating system written in Rust would be used.

I would treat any code allocating / deallocating / moving / locking memory by
hand instead of using higher level constructs unsafe now that we know that
it's possible to automate checking safety of the operations.

------
benatkin
I just noticed that they renamed Project Fi to just Google Fi. When I first
saw this post, due to _Project_ in the name I thought it was Google Fi. Good
on them for changing the name. Maybe it's a sign that Google will be more
consistent in their naming in the future.

~~~
judge2020
I'm surprised they're still using a blogspot subdomain . Something like
zero.google or projectzero.google would work (with redirects for existing
links)

~~~
dcbadacd
0.google would be nice.

