New ASLR Bypass Technique Discovered for Apple Devices
Introduction to the Vulnerability
Google’s Project Zero team has uncovered a novel method that successfully bypasses Address Space Layout Randomization (ASLR) protections on Apple devices. This discovery, detailed by security researcher Jann Horn, illustrates how attackers could exploit specific behaviors in Apple’s serialization framework. The focus is on two key classes, NSKeyedArchiver and NSKeyedUnarchiver, which can potentially leak pointer values without activating standard memory safety errors or employing timing side channels.
Understanding the ASLR Bypass
At the heart of this vulnerability is a delicate interplay between singleton objects, pointer-based hash values, and the serialization process of NSDictionary. When an application processes attacker-controlled data, re-serializes it, and sends the output back to the attacker, a specific sequence emerges. This sequence allows attackers to infer the memory addresses of shared objects. The risk escalates when examining objects like NSNull, a singleton utilized in Apple’s Core Foundation.
Horn details that the hash value of NSNull is set to its memory address. Because this singleton is located at a consistent point within the system’s shared cache, it essentially acts as a beacon for attackers, enabling them to extract address information and effectively undermine ASLR.
Exploiting Serialization Behavior
Horn elaborates on how attackers can craft specific serialized input using carefully chosen NSNumber keys. The hashing mechanism used is predictable, granting attackers control over where these keys will land in the internal hash table buckets of NSDictionary. Given that NSDictionary employs probing hash tables with a prime-numbered bucket count and maintains the order of insertion during serialization, it becomes feasible to anticipate where individual keys will reside.
In the presence of an NSNull key, attackers can ascertain its location within the serialized data. This positional insight reveals the results of a calculation, allowing the attacker to reconstruct the pointer value for NSNull. By repeating this process with hash tables of varying prime sizes, such as 23, 41, 71, and beyond, attackers can arrive at the precise memory address of the NSNull singleton.
Practical Demonstration of the Attack
Despite not finding any production services that specifically utilize the deserialization–serialization–return method in real-world scenarios, Horn successfully created a test environment to demonstrate its feasibility. The proof-of-concept consisted of an NSArray filled with multiple NSDictionary objects, each tailored to target distinct hash table sizes and specific bucket setups.
The attacker’s tools generated serialized input around 50 KiB in size while the victim-side procedure re-serialized the provided data. Upon receiving the output, the attacker could then determine in which bucket the NSNull object landed within each dictionary, allowing for accurate computation of its memory address.
Apple’s Response and Mitigation Strategies
Apple responded to the vulnerability through security updates released on March 31, 2025. Although Project Zero opted not to issue a public bug tracker entry due to the lack of an immediate threat, Horn stressed the importance of avoiding the use of raw memory addresses as hash values in any serialization framework, especially when those addresses are stable and accessible across different processes.
Recommendations also included implementing strict type allowlisting during deserialization, avoiding re-serialization of untrusted input, and not sharing serialized outputs across trust boundaries. These guidelines align with established best practices meant to safeguard against deserialization vulnerabilities.
Broader Implications of Pointer Leaks
Horn connected this new ASLR bypass to earlier research, including the 2011 hashDoS attacks that exploited predictable hashing to sabotage system performance. Unlike hashDoS, however, this vulnerability leverages hash order determinism to leak sensitive information rather than degrade service.
Moreover, Horn pointed to previous findings from Project Zero regarding partial pointer leaks and order-based information exposure, indicating that this technique generalizes those insights. Rather than relying on memory corruption or timing analysis, this new method emphasizes the innate behavior of pointer-keyed collections within Apple’s frameworks.
This analysis serves as a crucial reminder of the complexities and challenges in securing modern computing environments, particularly concerning serialization processes and memory management practices.
