I hacked macOS(asahilina.net)
asahilina.net
I hacked macOS
https://asahilina.net/agx-exploit/
139 comments
From code comments, what I understood (most likely in an incorrect way) is:
- Use Metal shader code to make process page table accessible to shaders via page protection layer bug exploited using return oriented programming (ROP)
- Use Metal shader code to acquire read/write access to physical memory
- Use Metal shaders to access the kernel page table
- Deals with ASLR to find the kernel base address
- Obtains process user credentials data structure via the process data structure (from the kernel memory)
- Sets uid and gid to 0 (root) to the user credentials data structure, giving root privileges to the user
- Use Metal shader code to make process page table accessible to shaders via page protection layer bug exploited using return oriented programming (ROP)
- Use Metal shader code to acquire read/write access to physical memory
- Use Metal shaders to access the kernel page table
- Deals with ASLR to find the kernel base address
- Obtains process user credentials data structure via the process data structure (from the kernel memory)
- Sets uid and gid to 0 (root) to the user credentials data structure, giving root privileges to the user
You’re pretty much correct.
GPUs are a very interesting attack vector. Especially as more computation is being pushed to GPUs, and they’re not always well isolated.
GPUs are a very interesting attack vector. Especially as more computation is being pushed to GPUs, and they’re not always well isolated.
I'm genuinely concerned about the WebGPU attack vector. The possibilities are exciting, but we (everyone) has virtually no experience with securing them (compared to decades of securing x86 - which we still can't pull off). My biggest concern is fingerprinting.
Somehow I can’t resign myself to this brave new world of web apps with low level hardware access. I do not want web apps doing GPGPU work on my machine. If the browser engine implements high level functionality that way, fine, but I don’t want arbitrary websites using low level hardware directly.
They were so preoccupied with whether they could, the never stopped to consider whether they should.
They were so preoccupied with whether they could, the never stopped to consider whether they should.
I feel like fingerprinting is inevitable with any hardware access, including WebGL or WebGPU. It’s one of my big concerns about Chrome exposing more and more of the hardware it runs on in the goal of being a Web based OS.
That said, fingerprinting is not as big a risk as what I was thinking of, which is one process being able to peer into another’s on the GPU. There are various takes on isolation on the GPU but they tend to have strong caveats attached.
That said, fingerprinting is not as big a risk as what I was thinking of, which is one process being able to peer into another’s on the GPU. There are various takes on isolation on the GPU but they tend to have strong caveats attached.
Fingerprinting is probably inevitable if it is enabled by default. Given game code themselves relies on exact device model to workaround gpu implementation bugs. Gpu compatibility is always a shit show history that relies on all sort of device specific workarounds. You may spoof it. But don't assume it would work perfectly for any moderate to big sized programs.
Is this substantially different than say, containers with GPU access, right?
Lots of computation is moving to GPUs.
Lots of computation is moving to GPUs.
Do you know what's the original vulnerability that allowed ROP?
https://asahilina.net/agx-exploit/#/s_uppl
Press down to see the slides
Press down to see the slides
Thank you very much for the brief summary versus whatever the thing linked was.
[deleted]
Any suggestions for how I can get to anywhere close to Lina's skills? It's just mad skills..
I don't believe simply putting in huge amount of time in front of the machine is adequate. Neither is simply being smart.
Is it just a combination of being smart, sinking in a lot of time, interests etc?
Read computer architecture and computer systems books.
Any suggestions? I'll start with something that might be a good beginner friendly way to get familiar with some of the concepts: 'The Soul of a New Machine' by Tracy Kidder.
You'd be wasting your time with that. Go read the bible (Computer Organization and Design by Patterson) instead.
Do you recommend any specific one? I guess there are multiple for ARM, RISC-V, etc. Thanks
The CVE description for some context (I re-ordered the sentences)
"An app may be able to execute arbitrary code with kernel privileges. The issue was addressed with improved memory handling. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13, watchOS 9.1."
"An app may be able to execute arbitrary code with kernel privileges. The issue was addressed with improved memory handling. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13, watchOS 9.1."
[deleted]
Just a note this isn't new: fixed in macOS last year (october 2022), and the japanese stream with the same slides is half a year old.
(The english content is new, so I guess this is still worth the front page as long as people are interested)
Once again, my respect for the work of the Asahi team and especially Linas GPU related efforts grows further. Great to see that she was officially recognized[0] and received a bounty for her efforts.
[0] https://support.apple.com/en-md/HT213488
[0] https://support.apple.com/en-md/HT213488
[deleted]
Lina is not a random emerging VTuber who randomly stumbled upon the bug and found an exploit technique that can be applied to exploit the bug; she is actually highly skilled at exploit things...
Cool, but this is a technology discussion website, not a personality discussion website.
I don’t think that’s entirely true. When reading technical articles who the author is matters.
For example, this is the same person who’s working on Asahi Linux for ARM macs. This means that they probably know what their talking about and this is gonna be a good article.
For example, this is the same person who’s working on Asahi Linux for ARM macs. This means that they probably know what their talking about and this is gonna be a good article.
Quality content, highly recommended.
Hugged to death?
https://youtu.be/hDek2cp0dmI?t=499 the presentation with narration of the author.
Is this page archived yet? I cannot access the page..
[deleted]
This wasn't obvious to me from the appearance of the page (I guess my screen is large enough that I didn't see the arrows in the bottom-right corner), but this site is actually a presentation. So, a heads-up in case anyone else has the same experience: the page is interactive, and you can navigate with arrow keys.
The HN rules say
> Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Given that many are praising the formatting, I don't see how the rule applies.
I'd like to point out that the slides have source available and use the reveal js slides framework, but I'm not sure if this would be considered as breaking the rules?
Source for slides: https://github.com/asahilina/agx-exploit/tree/main/slides
> Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Given that many are praising the formatting, I don't see how the rule applies.
I'd like to point out that the slides have source available and use the reveal js slides framework, but I'm not sure if this would be considered as breaking the rules?
Source for slides: https://github.com/asahilina/agx-exploit/tree/main/slides
[deleted]
Lina received a $150k bounty for this exploit.
Sounds extremely low for this kind of vulnerability of a $2.7T company that prides itself for its privacy accomplishments.
I mean, this is the company where the only security certification advertised on their website for macOS [1][2] only achieved the lowest possible level of security, EAL1.
A level only fit for products where [3]: "some confidence in correct operation is required, but the threats to security are not viewed as serious" which is one level lower than "demonstrating resistance to penetration attackers with a basic attack potential" [4]. Which is four full levels below "demonstrating resistance to penetration attackers with a moderate attack potential" [5].
Apple has never once, over multiple decades of failed attempts, demonstrated "resistance to penetration attackers with a moderate attack potential" for any product. It should be no surprise that the systems, processes, and people who lack the knowledge, ability, technology, and experience to make a system resistant to moderate attackers, despite nearly unlimited resources, have the security of their systems completely defeated by moderate attacks like small groups of skilled researchers. Apple positively, absolutely, 100%, certifies they can not. Though, it would be nice if their marketing were restricted to what their engineering can prove.
[1] https://support.apple.com/guide/certifications/macos-securit...
[2] https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
[3] https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... Page 14
[4] https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... Page 16
[5] https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... Page 20
A level only fit for products where [3]: "some confidence in correct operation is required, but the threats to security are not viewed as serious" which is one level lower than "demonstrating resistance to penetration attackers with a basic attack potential" [4]. Which is four full levels below "demonstrating resistance to penetration attackers with a moderate attack potential" [5].
Apple has never once, over multiple decades of failed attempts, demonstrated "resistance to penetration attackers with a moderate attack potential" for any product. It should be no surprise that the systems, processes, and people who lack the knowledge, ability, technology, and experience to make a system resistant to moderate attackers, despite nearly unlimited resources, have the security of their systems completely defeated by moderate attacks like small groups of skilled researchers. Apple positively, absolutely, 100%, certifies they can not. Though, it would be nice if their marketing were restricted to what their engineering can prove.
[1] https://support.apple.com/guide/certifications/macos-securit...
[2] https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
[3] https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... Page 14
[4] https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... Page 16
[5] https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... Page 20
EAL is not a measure of security but a measure of the depth of analysis. Looking at the complexity of monolithic-kernel-based operating systems, I don't much can be derived from certifications with an EAL < 5.
Evaluated assurance levels (EAL) are a bundle of security assurance requirements (SAR) that reasonably trace to varying levels of assurance that the target of evaluation (TOE) enforces the Security Functional Requirements (SFR) of the product. One of the core SARs being AVA (vulnerability assessment) which evaluates resistance to penetration attackers and the presence of vulnerabilities. It is only at EAL5 that you are required to demonstrate AVA_VAN.4 which is resistance to penetration attackers with a moderate attack potential.
What we derive from companies only able to achieve EAL < 5 is that their systems are not designed, nor capable of protecting against moderate attackers. This has been borne out by decades of experience where the security properties of these systems have been routinely defeated by attackers with moderate or lower attack potential. The certification process is both effective and accurate at identifying that these consumer operating systems are inadequate against attackers of moderate ability as an upper bound.
We further know from decades of experience that any system that attempts EAL5 certification and then fails has structural deficiencies that make it practically impossible for any configuration to ever be certified without a total redesign. As far as I know, nobody has ever achieved that despite decades of attempts and billions of dollars spent attempting to retrofit inherently insecure designs such as Windows, Linux, or macOS.
So, what we know is that macOS, iOS, Linux, Windows, BSDs, etc. are structurally insecure against moderate attacks such as those employed by commercial hackers and organized crime, let alone state-level actors, and that it is hopeless for them to ever be improved to reach such a level. Anything less than EAL5 is inadequate for the modern threat landscape of established commercial hackers and state actors as experienced by consumers, businesses, and governments. Therefore, the systems currently deployed are universally unfit for their usage in these connected systems and we have the certifications and continuous examples to prove it.
What we derive from companies only able to achieve EAL < 5 is that their systems are not designed, nor capable of protecting against moderate attackers. This has been borne out by decades of experience where the security properties of these systems have been routinely defeated by attackers with moderate or lower attack potential. The certification process is both effective and accurate at identifying that these consumer operating systems are inadequate against attackers of moderate ability as an upper bound.
We further know from decades of experience that any system that attempts EAL5 certification and then fails has structural deficiencies that make it practically impossible for any configuration to ever be certified without a total redesign. As far as I know, nobody has ever achieved that despite decades of attempts and billions of dollars spent attempting to retrofit inherently insecure designs such as Windows, Linux, or macOS.
So, what we know is that macOS, iOS, Linux, Windows, BSDs, etc. are structurally insecure against moderate attacks such as those employed by commercial hackers and organized crime, let alone state-level actors, and that it is hopeless for them to ever be improved to reach such a level. Anything less than EAL5 is inadequate for the modern threat landscape of established commercial hackers and state actors as experienced by consumers, businesses, and governments. Therefore, the systems currently deployed are universally unfit for their usage in these connected systems and we have the certifications and continuous examples to prove it.
How do you define "penetration attackers with a moderate attack potential"?
No EAL>4 certification does not imply that something is insecure.
Judging something as "insecure" or "structurally insecure" is highly opinionated. Not everyone has the same tolerance of risk. For most users the common operating system is secure enough. Besides that security is not only depending on the kernel. Smartphone operating systems which are based on Linux practically provide more security through app isolation than most desktop-oriented Linux-based distributions.
Besides that a CC certification does not necessary certify the product as a whole which finally means you cannot even derive a state of security statement for the end user.
Example: Integrity OS has been certified on EAL6, yet the have provided a vulnerable telnet server: https://nvd.nist.gov/vuln/detail/CVE-2019-7715
Another example was the genugate firewall which has been certified on EAL4+ (including ALC_FLR.2, ALC_PAM.1, ASE_TSS.2, AVA_VAN.5), so in the end it was certified against attack with a high attack potential. Yet, the product was vulnerable to a simple authentication bypass of the management interface resulting in a CVSS score of 9.8: https://nvd.nist.gov/vuln/detail/CVE-2021-27215
No EAL>4 certification does not imply that something is insecure.
Judging something as "insecure" or "structurally insecure" is highly opinionated. Not everyone has the same tolerance of risk. For most users the common operating system is secure enough. Besides that security is not only depending on the kernel. Smartphone operating systems which are based on Linux practically provide more security through app isolation than most desktop-oriented Linux-based distributions.
Besides that a CC certification does not necessary certify the product as a whole which finally means you cannot even derive a state of security statement for the end user.
Example: Integrity OS has been certified on EAL6, yet the have provided a vulnerable telnet server: https://nvd.nist.gov/vuln/detail/CVE-2019-7715
Another example was the genugate firewall which has been certified on EAL4+ (including ALC_FLR.2, ALC_PAM.1, ASE_TSS.2, AVA_VAN.5), so in the end it was certified against attack with a high attack potential. Yet, the product was vulnerable to a simple authentication bypass of the management interface resulting in a CVSS score of 9.8: https://nvd.nist.gov/vuln/detail/CVE-2021-27215
“Moderate potential” is defined in the standard [1]. As we are generally discussing blackbox attacks on publicly accessible remote endpoints, basically the only relevant factors are “Elapsed Time”, “Expertise”. So, a “moderate attack potential” is: expert proficiency attacking team over four months. A “high attack potential” is expert proficiency attacking team over six months.
I know, the standard is embarrassingly low by modern attack standards. It really should be much stricter these days, but even at these embarrassingly low levels the standard commercial vendors such as Apple can not achieve them.
No, my statement on structural insecurity is quite objective. I said they are structurally insecure against commercial hackers and organized crime. That is a statement relative to a threat model and can be objectively verified.
Our objective verification is that their security properties get routinely invalidated by such attackers thousands of times a year. You would be hard pressed to find a professional hacker who would say something like: “Oh no, they are using a Mac, my plans are foiled.”
Commercial hackers and organized crime are expected threat actors. If you are running a commercial enterprise, you will be attacked by commercial hackers these days. If your systems are useless against them, then your security is objectively inadequate for your use case. Using systems certified to be inadequate for your use case is just engineering malpractice.
Yes, a Common Criteria certification does not mean the entire product is certified in much the same way that a nail certification does not mean your airplane is certified. You need to certify the entire product for the entire product to be certified. That should be obvious.
I do not know why you bring up uncertified composed products having problems in uncertified components. Yes, those components suck, we already know that. That in no way supports using composed products consisting entirely of inadequate components.
You seem to be confused about how you should use a Common Criteria certification to evaluate a product. EAL5 does not mean you are guaranteed to be protected against moderate attackers. It just provides some reasonable confidence that might be the case. What it really tells you is that you should have minimal or no confidence in systems not certified (or even worse failed certification) to EAL5.
A AVA_VAN.5 component might be vulnerable to moderate attacks. But a component that failed certification to AVA_VAN.3 is certainly vulnerable to moderate attacks.
The genugate firewall is EAL4. I do not see how this bolsters your point. There is a reason why we use EAL instead of just reporting the AVA_VAN requirement.
I do not have any particular insights into their product or that vulnerability. It is certainly possible they were over certified.
Looking at the PoC, it seems to indicate a administrator login authentication bypass. In the genugate firewall TOE [2] it indicates that the administrator network is assumed to be isolated and trusted. If an administrator login page is only meant to be accessible from the administrator network then the CVE would be out of scope of their certification. Though the CVE indicates other logins that might be affected, so I can not speculate any further. Certainly could be over-certified. But again, certification does not mean confidently secure, it is non-certification which means confidently insecure.
[1] https://www.commoncriteriaportal.org/files/ccfiles/CEM2022R1...
[2] http://www.commoncriteriaportal.org/files/epfiles/0300b.pdf
I know, the standard is embarrassingly low by modern attack standards. It really should be much stricter these days, but even at these embarrassingly low levels the standard commercial vendors such as Apple can not achieve them.
No, my statement on structural insecurity is quite objective. I said they are structurally insecure against commercial hackers and organized crime. That is a statement relative to a threat model and can be objectively verified.
Our objective verification is that their security properties get routinely invalidated by such attackers thousands of times a year. You would be hard pressed to find a professional hacker who would say something like: “Oh no, they are using a Mac, my plans are foiled.”
Commercial hackers and organized crime are expected threat actors. If you are running a commercial enterprise, you will be attacked by commercial hackers these days. If your systems are useless against them, then your security is objectively inadequate for your use case. Using systems certified to be inadequate for your use case is just engineering malpractice.
Yes, a Common Criteria certification does not mean the entire product is certified in much the same way that a nail certification does not mean your airplane is certified. You need to certify the entire product for the entire product to be certified. That should be obvious.
I do not know why you bring up uncertified composed products having problems in uncertified components. Yes, those components suck, we already know that. That in no way supports using composed products consisting entirely of inadequate components.
You seem to be confused about how you should use a Common Criteria certification to evaluate a product. EAL5 does not mean you are guaranteed to be protected against moderate attackers. It just provides some reasonable confidence that might be the case. What it really tells you is that you should have minimal or no confidence in systems not certified (or even worse failed certification) to EAL5.
A AVA_VAN.5 component might be vulnerable to moderate attacks. But a component that failed certification to AVA_VAN.3 is certainly vulnerable to moderate attacks.
The genugate firewall is EAL4. I do not see how this bolsters your point. There is a reason why we use EAL instead of just reporting the AVA_VAN requirement.
I do not have any particular insights into their product or that vulnerability. It is certainly possible they were over certified.
Looking at the PoC, it seems to indicate a administrator login authentication bypass. In the genugate firewall TOE [2] it indicates that the administrator network is assumed to be isolated and trusted. If an administrator login page is only meant to be accessible from the administrator network then the CVE would be out of scope of their certification. Though the CVE indicates other logins that might be affected, so I can not speculate any further. Certainly could be over-certified. But again, certification does not mean confidently secure, it is non-certification which means confidently insecure.
[1] https://www.commoncriteriaportal.org/files/ccfiles/CEM2022R1...
[2] http://www.commoncriteriaportal.org/files/epfiles/0300b.pdf
On the other hand, that's a years salary for many people. Seems like a quite fair payment, and a payout to envy.
Lower, easier to get payouts are arguably better than rare jackpot payouts you have to fight over...
Lower, easier to get payouts are arguably better than rare jackpot payouts you have to fight over...
> On the other hand, that's a years salary for many people.
It's several years salary for many people.
It's several years salary for many people.
But not for people with this level of applied skills.
How many people do you think could pull this off? I certainly couldn't. Could you?
How many people do you think could pull this off? I certainly couldn't. Could you?
> But not for people with this level of applied skills.
Perhaps not for people with this level of applied skills who live in the US. But salaries vary drastically around the world, and remote jobs are not feasible for everyone.
Perhaps not for people with this level of applied skills who live in the US. But salaries vary drastically around the world, and remote jobs are not feasible for everyone.
How would you value this exploit, or any exploit?
I understand this is arbitrary code execution with root access. I'm imagining the potential of infecting a high status individual and I think a bad actor would pay millions for such an exploit.
Sure, so how would you arrive at a dollar amount? What would it be?
Apple pays up to $2M for such zero click exploits.
>Sounds extremely low for this kind of vulnerability
How do you know that?
How do you know that?
I’m not sure I follow. You’re asking them how they know their own impression of something?
That would be a fair question, we generally don't come to our impressions by random choice alone. My guess is the value of the vulnerability on the black market would be significantly higher and Apple could afford to compete with that better if they wanted. Only the GP could tell us the reasoning for their impression though.
Which part? I feel that arbitrary code execution with root access is a pretty extreme thing to accomplish. But I might be mistaken!
What? That's an insane amount of money
I'm comparing it with Apple's market cap of $10^12. Such a vulnerability seems pretty serious. But maybe I'm mistaken and it's not that bad.
Less than the salary of their software engineers.
Well deserved. By reading the code you can tell there is a lot of analysis and knowledge required to make that exploit happen.
OS development, security, shader programming, computer architecture, etc.
The code is clean and has plenty of comments explaining what is happening at each step.
And for the ones do not know, Asahi Lina is the same person who made it possible to run GPU-enabled Linux on Apple Silicon, among with other contributors.
OS development, security, shader programming, computer architecture, etc.
The code is clean and has plenty of comments explaining what is happening at each step.
And for the ones do not know, Asahi Lina is the same person who made it possible to run GPU-enabled Linux on Apple Silicon, among with other contributors.
How does this work anyway? I reported a password bug that went unfixed for months and didn't hear back from Apple. Do you need to be the first/only person to have reported something, or what?
Most bug bounty payouts go to the first person or group that report it, and only if the bug in question is novel to the company in question.
I.e if you report after someone else or report after it’s already been identified internally , you’re not likely to get a payout unless you have novel details
I.e if you report after someone else or report after it’s already been identified internally , you’re not likely to get a payout unless you have novel details
Hell yeah, good for her!
[deleted]
Honestly I loved the slide deck. I have little background in this, and I feel the author did a great job of breaking everything down. It clearly took aot of work. Bravo.
I genuinely don't understand when I should be pressing down or right. Is there a linear way to view this?
It’s why I hate reveal.js
It’s the most unintuitive mechanism unless you’ve already internalized what deck structures should be.
It seems like it’s optimized for the presenter but it’s often used for after the fact sharing with everyone else who won’t know the order.
It really needs a linear mode, with the option to see presenter notes.
It’s the most unintuitive mechanism unless you’ve already internalized what deck structures should be.
It seems like it’s optimized for the presenter but it’s often used for after the fact sharing with everyone else who won’t know the order.
It really needs a linear mode, with the option to see presenter notes.
I clicked various times to the right, didn't make much sense.
I came back, started clicking it down, now it made sense, until couldn't, so I clicked right.
Then it clicked, took me something like ten seconds to figure it out, and I am not known to be quickest knife in the shed.
right for sections, down for subsections within a section, but 2d nav isn't great without a map :)
Press space.
RIP mobile users :'(
Yeah, I dislike comments on format but on mobile the site was just unusable for me. I couldn't figure out which slide was the "correct one" to move forward, and even the zooming gesture would move me to another slide. I think the video presentation would be a better link than the slides.
>Is there a linear way to view this?
Space key
Space key
[deleted]
The reveal.js slide itself probably isn't the best way for readers. The reveal.js project actually provides a PDF export feature which can be more helpful.
Anyway, it's an asahilina.net page, not a cve.mitre.org page. That domain is for the Virtual YouTuber Lina-chan, so I would not expect it to be the most friendly for developers.
As a VTuber follower, I do really like the style :D
Anyway, it's an asahilina.net page, not a cve.mitre.org page. That domain is for the Virtual YouTuber Lina-chan, so I would not expect it to be the most friendly for developers.
As a VTuber follower, I do really like the style :D
I would classify Lina as excellent hacker and engineer first, VTuber second (but it is really just marcan's alter ego, innit?)
tjroer84(5)
m0d0nne11(1)
jmull(7)
quitit(4)
https://news.ycombinator.com/newsguidelines.html.