
One Byte to rule them all - cjbprime
https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.html
======
twoodfin
Seems like the high-level lesson is that tagged unions as traditionally
implemented can be vulnerable in a manner that pointer/address-focused
mitigations don’t affect?

~~~
tlb
Indeed, a small integer tag seems much more vulnerable than a C++ virtual
table pointer.

On modern hardware, how much is the penalty for using magic numbers instead of
small indices? (A magic number meaning a constant like 0x85adb9ad instead of
2). The compiler can't optimize switch(it->type) using a jump table, but I
suspect that branch prediction and speculation makes this optimization barely
relevant.

~~~
kevincox
A jump table isn't likely used for very small unions anyways. The biggest
downside that I see is that comparing with zero is slightly cheaper if that is
a common value.

------
cjbprime
Huh, I submitted this two days ago -- why does it say two hours ago?

~~~
vasco
It's common for mods to game the system and resubmit stories they believe are
good.

~~~
MaxLeiter
Not sure why this is downvoted. They do do that.

~~~
JoshTriplett
Likely because "game the system" has a strong negative connotation that seems
unwarranted.

~~~
b4ke
Only if you can actually speak to the motivation behind the act.... right?

~~~
saagarjha
[https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)

------
kokowawa393
What do I need to learn to understand this 100%?

~~~
saagarjha
In somewhat increasing order of specificity (and decreasing additional
understanding): computers, C, memory safety, newer cross-platform security
mitigations, XNU, iOS-specific security mitigations, iOS exploitation
techniques, Project Zero's previous work.

------
nine_k
The amount of work put into the exploit, the breadth of low-level knowledge
involved, and the number of moving parts required for the successful privilege
escalation is impressive, to say the least.

I suspect that getting thought this all took months, considering that iOS runs
on platforms not exactly open for experimentation of such a kind.

------
cjsawyer
The LotR section headings were a nice touch

------
hootbootscoot
great stuff

------
trekrich
So what does it mean?!

~~~
formerly_proven
iOS has a lot of layers and mitigations both in software and proprietary
hardware that aren't found in other systems. Keep in mind that this story
would be 20 % the length on other systems, because "physical memory read/write
primitive" would be a total break.

~~~
saagarjha
I should note that PPL is _not_ designed to protect against the kinds of
attack described in this article; it's really meant to prevent substitution of
forged page tables and by coincidence the address chosen by the author ended
up being unmappable due to an attempt to protect against virtual memory
read/write in the kernel.

------
fortran77
iOS is full of holes. How can Apple in good faith say it is "secure by
design?" (See
[https://www.apple.com/business/docs/site/AAW_Platform_Securi...](https://www.apple.com/business/docs/site/AAW_Platform_Security.pdf)
)

~~~
glitchc
Let’s give a experienced group of hackers nearly unlimited budget to find
security holes in your competitor’s products.

There’s of course, zero bias in that approach, none whatsoever. /s

If project zero spent even half as much time finding and fixing security
exploits in Android as they do just finding exploits in IOS, Google would have
a truly competitive product from a security perspective.

~~~
kanox
I really don't see the problem with this, finding vulnerabilities is hard work
and many times the results are used for nefarious purposes.

You seem to be concerned that Project Zero would be used as marketing material
against competitors but I saw no sign of that.

Apple should thank Google for the high quality free labor.

------
simonebrunozzi
> Project Zero

> News and updates from the Project Zero team at Google

>For the last several years, nearly all iOS kernel exploits ...

Damn, Googlers... Still incapable of explaining things to people. What the
hell is Project Zero? Why don't you explain it in your tagline? If not, why
not at the beginning of the article?

Edit: this sentence in the "about" section does the job:

> Project Zero is a team of security researchers at Google who study zero-day
> vulnerabilities in the hardware and software systems that are depended upon
> by users around the world

I suggest you change the tagline to something like "Studying zero-day
vulnerabilities at Google".

