
Voucher_swap: Exploiting MIG reference counting in iOS 12 - gok
https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html?m=1
======
0x0
Curious to hear more about the "bypass Apple's implementation of ARMv8.3
Pointer Authentication (PAC) on A12 devices like the iPhone XS."

Is this new ARMv8.3 feature already broken?

~~~
olliej
I would guess holes in the coverage, or insufficient discrimination for
authenticating.

But yeah, I’m looking forward to finding out what they exploited.

------
saagarjha
I haven’t used MIG much, but it’s always seemed like a security nightmare.
It’s somewhat convenient, but the codegen part looks really sketchy and of
course with separation like this it’s easy to forget memory management
guidelines, etc.

