Our goal is to demonstrate that we can learn the PAC for a kernel pointer from userspace. Just demonstrating that this is even possible is a big step in understanding of how mitigations like pointer authentication can be thought of in the spectre era.
We do not aim to be a zero day, but instead aim to be a way of thinking about attacks/ an attack methodology.
The timer used in the attack does not require a kext (we just use the kext for doing reverse engineering) but the attack itself never uses the kext timer. All of the attack logic lives in userspace.
Provided the attacker finds a suitable PACMAN Gadget in the kernel (and the requisite memory corruption bug), they can conduct our entire attack from userspace with our multithread timer. You are correct that the PACMAN Gadget we demonstrate in the paper does live in a kext we created, however, we believe PACMAN Gadgets are readily available for a determined attacker (our static analysis tool found 55,159 potential spots that could be turned into PACMAN Gadgets inside the 12.2.1 kernel).
Something definitely went wrong here though that more guidance was not provided to the tech journalists.
Most of the mainstream articles make it seem like they a) did not read the paper b) are incapable of understanding the paper c) were not provided any guidance about what any of this actually means in the real world.
Which is all scary as the paper is well written and very accessible IMO.
Based on the article, I think the journalist basically understands the situation (and if they don't, they should investigate further, that's the job). The headline is just intentionally over-dramatic to get clicks. This shouldn't be treated as a good-faith error, more guidance isn't required and wouldn't help.
OK, but that doesn't excuse things. There's a problem with journalism and its mostly about how they are incentivized and compensated. I don't know what the fix is but its clear that trust is so low, and rightfully so that journalism has largely failed as an industry at its job.
Journalism is paid for by ads, mostly. For online journalism, unless people click there is no money to pay the producers. Hence clickbait. This is a problem but there are worse problems.
I've seen many cases where mods revert an informative title in favor of a less informative one. Also, the idea that the title of a submission should match the title of the resulting article is quite silly, since often the article is written for a different audience and the informed HN submitter can sometimes craft a title that better summarizes to HN readers why the story is interesting / worth reading / controversial.
I mean, it's been like months of random press about the M1 despite there being anything special other than , _Apple_ so that's basically what you get when your marketing is super effective.
It’s not just a problem with journalism but with humans in general. People are more imprecise with their comprehension of things than they are willing to admit.
> Even here on HN, plenty of folks will comment on all kinds of research they know little about.
I don't see anything wrong with that, because all opinions are not equal.
I think there is some level of pressure to get one's word in quickly, otherwise the nebulous cloud of commenters moves on to the next story, and your well-thought-out comment that took hours to write is seen by no-one. If you're responding to someone hoping to get into a nice conversation, you're out of luck since they have no idea you just responded to them.
Anything related to medicine/biochemistry can get cringe-y pretty quickly here. I think the problem is that the crowd here is generally pretty intelligent, but they know it and it's a coefficient > 1 on the Dunning-Kruger effect
If the information was given solely to public security experts with blog presence (Matthew Green, Bruce Schneier, and a plethora of others) we could've linked to them and either ignore the 'clickbait middleman' or do most of the work for them allowing them an easier time to write up something half decent.
Matthew Green once publicly criticized something I created by simply parroting what someone else had said without bothering to do his own investigation. The original criticism turned out to be hogwash, and Matthew failed to recognize an obvious real crypto problem with the first version of my feature because he was too busy trying to just quickly stick his name into someone else's feature announcement while it was still "hot off the press."
I would take anything Matthew Green blogs about with a grain of salt. It's not clear how much of what he says is just cheap amplification of what others claim.
Youtube titles with CAPITALIZED words make me sad. I don't want to click on any video with a title like that, but creators are incentivized to use those titles because they get more views. Some fine videos end up with those titles and I would miss out on some good stuff if I refuse to click on clickbait titles.
The Techcrunch article is well written and I thought summarises this rather well.
The headline is pretty reasonable too. Apple can't patch this, and as other commentators point out subsequent attack techniques are only going to make this flaw worse.
95% of journalism is at this level of understanding for anything non liberal arts that is commonly offered as a 4 year degree, and has been for as long as journalism has existed.
I really sympathise how your research is being misunderstood based on the reporting and responses to the press stuff missing the main point. And everyone equating modern ARM with "M1".. Anyway, awesome work! Let's hope pointer authentication gets a thorough treatment from the research community and you and other people can build further exciting results on your work!
Given there are "55,159 potential spots that could be turned into PACMAN Gadgets" do you think it is highly probably this attack is now part of a zero-day kill-chain?
Our goal is to demonstrate that we can learn the PAC for a kernel pointer from userspace. Just demonstrating that this is even possible is a big step in understanding of how mitigations like pointer authentication can be thought of in the spectre era.
We do not aim to be a zero day, but instead aim to be a way of thinking about attacks/ an attack methodology.
The timer used in the attack does not require a kext (we just use the kext for doing reverse engineering) but the attack itself never uses the kext timer. All of the attack logic lives in userspace.
Provided the attacker finds a suitable PACMAN Gadget in the kernel (and the requisite memory corruption bug), they can conduct our entire attack from userspace with our multithread timer. You are correct that the PACMAN Gadget we demonstrate in the paper does live in a kext we created, however, we believe PACMAN Gadgets are readily available for a determined attacker (our static analysis tool found 55,159 potential spots that could be turned into PACMAN Gadgets inside the 12.2.1 kernel).
Our paper is available at our website: https://pacmanattack.com/paper.pdf