| ▲ | vayup 3 days ago |
| > ...attackers must not be able to predict tag values that the system will choose. We address this issue by frequently re-seeding the underlying pseudo-random generator used to select new tags. This point could use more explanation. The fundamental problem here is the low entropy of the tags (only 4 bits). An attacker who randomly guesses the tags has 1/16 chance of success. That is not fixed by reseeding the PRNG. So I am not sure what they mean. |
|
| ▲ | shooshx 3 days ago | parent | next [-] |
| At attacher can guess, and has a 1/16 probability to guess right, but they have only one chance to guess because if you guess wrong, the process terminates (if it's a user-process) or the kernel panics (if it's in the kernel), so in the next opportunity you'll have it will be a different tag to guess. |
|
| ▲ | freakynit 3 days ago | parent | prev [-] |
| Four bits provide too few possibilities. Since memory allocations happen millions of times per minute, the chance of collisions grows very quickly, even with periodic reseeding. |
| |
| ▲ | kevincox 3 days ago | parent | next [-] | | But you only get one try. 15/16 times you get a very visible failure. It isn't great. Most users won't assume malice when an app crashes. And if they reopen it a few times your chance of succeeding goes up quickly. But this is also assuming that you need a single pointer tag to exploit something. If you need more you need to get even luckier. So it definitely isn't perfect protection. But it isn't trivial to bypass. | | |
| ▲ | qafy 2 days ago | parent [-] | | This could be solved at the OS level. Just crashing and closing the app would lead the user to simply re-open it and try again. However, if iOS detects this type of crash it could sternly alert the user that the application they are using is likely compromised. It could also transmit analytics for these specific types of crashes to Apple, who would have very realtime insights into newly compromised apps. I don't think the idea here is "crash silently and let the user reopen the app as many times as they want" I think its "crash very very loudly" > If you need more you need to get even luckier. This is a good point. Im not an expert but im guessing one is rarely enough, which would exponentially decrease your chances of success by brute force, e.g. 2 tags would be 1/256 etc |
| |
| ▲ | saagarjha 3 days ago | parent | prev [-] | | The idea is that a tag failure crashes your process. |
|
