{"id":159,"date":"2025-09-02T10:28:21","date_gmt":"2025-09-02T10:28:21","guid":{"rendered":"https:\/\/haco.club\/?p=159"},"modified":"2025-09-03T08:57:06","modified_gmt":"2025-09-03T08:57:06","slug":"sysbumps-exploiting-speculative-execution-in-system-calls","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=159","title":{"rendered":"SysBumps: Exploiting Speculative Execution in System Calls"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/-WO_1EKkdJk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"464\" src=\"https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-7-1024x464.png\" alt=\"\" class=\"wp-image-163\" srcset=\"https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-7-1024x464.png 1024w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-7-300x136.png 300w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-7-768x348.png 768w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-7-1536x695.png 1536w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-7-2048x927.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The video presents an attack technique called SysBumps, demonstrated by researchers Hyerean Jang, Taehun Kim, and Youngjoo Shin at Black Hat Europe 2024. Here\u2019s what it\u2019s about:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>What SysBumps Does<br>SysBumps breaks Kernel Address Space Layout Randomization (KASLR) on macOS systems running on Apple Silicon, including M-series chips. It uses speculative execution within system calls, triggering side-channel behaviors that allow an unprivileged attacker to detect kernel memory layout.<\/li>\n\n\n\n<li>How the Attack Works<br>By system calls that involve speculative execution, attackers can influence the translation lookaside buffer (TLB). This manipulation allows them to infer kernel address translations and effectively derandomize the kernel\u2019s memory layout (defeat KASLR). The technique exploits microarchitectural remnants left in the TLB after speculative mispredictions occur.<\/li>\n\n\n\n<li>Scope and Impact<br>It has been tested across a range of Apple Silicon models\u2014including M1, M1 Pro, M2, M2 Pro, M2 Max, M3, and M3 Pro\u2014running macOS versions from 13.1 up to 15.1. This is a significant threat because KASLR is a fundamental security barrier protecting kernel memory from userland access. Once it\u2019s broken, attackers can more easily launch further exploits.<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><a href=\"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690189\">https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690189<\/a><\/p>\n<\/blockquote>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The video presents an attack technique called SysBumps, demonstrated by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[27,5,31],"class_list":["post-159","post","type-post","status-publish","format-standard","hentry","category-black-hat","tag-microarchitecture","tag-security","tag-speculative-execution"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=159"}],"version-history":[{"count":5,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/159\/revisions"}],"predecessor-version":[{"id":174,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/159\/revisions\/174"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}