The video presents an attack technique called SysBumps, demonstrated by researchers Hyerean Jang, Taehun Kim, and Youngjoo Shin at Black Hat Europe 2024. Here’s what it’s about:
- What SysBumps Does
SysBumps breaks Kernel Address Space Layout Randomization (KASLR) on macOS systems running on Apple Silicon, including M-series chips. It uses speculative execution within system calls, triggering side-channel behaviors that allow an unprivileged attacker to detect kernel memory layout. - How the Attack Works
By system calls that involve speculative execution, attackers can influence the translation lookaside buffer (TLB). This manipulation allows them to infer kernel address translations and effectively derandomize the kernel’s memory layout (defeat KASLR). The technique exploits microarchitectural remnants left in the TLB after speculative mispredictions occur. - Scope and Impact
It has been tested across a range of Apple Silicon models—including M1, M1 Pro, M2, M2 Pro, M2 Max, M3, and M3 Pro—running macOS versions from 13.1 up to 15.1. This is a significant threat because KASLR is a fundamental security barrier protecting kernel memory from userland access. Once it’s broken, attackers can more easily launch further exploits.