Google Project Zero – NSDictionary Serialization Enables ASLR Address Disclosure on Apple OSes

Google Project Zero researcher Jann Horn has disclosed a sophisticated vulnerability affecting Apple’s macOS and iOS operating systems that demonstrates how attackers could potentially bypass Address Space Layout Randomization (ASLR) protections through an innovative exploitation of pointer leaks in serialization processes.

Illustration of ASLR showing randomized ordering of libraries in memory layout to enhance security 

Vulnerability Mechanism

The vulnerability represents a novel approach to defeating memory protection mechanisms without requiring traditional memory safety violations or timing-based attacks.

The technique exploits pointer-keyed data structures within Apple’s NSKeyedArchiver serialization framework, creating a pathway for memory address disclosure that operates through legitimate application functionality rather than exploiting coding errors.

The attack scenario requires a specific sequence: an application must deserialize attacker-controlled data, re-serialize the resulting objects, and subsequently return the serialized output to the attacker.

This creates an information disclosure channel that reveals critical memory layout information necessary for more sophisticated exploitation chains.

Horn discovered this vulnerability during internal Project Zero discussions focused on remote ASLR bypass techniques that would be essential for exploiting certain memory corruption vulnerabilities on Apple devices.

While the researcher successfully demonstrated the technique using NSKeyedArchiver serialization in controlled testing environments, no specific real-world attack surfaces were identified on current macOS or iOS implementations.

Apple system-on-chip architecture showing Secure Enclave components involved in memory protection and encryption 

The exploitation mechanism operates through several interconnected components within Apple’s Core Foundation framework.

The attack leverages the CFNull singleton instance stored in the shared cache, which utilizes pointer addresses as hash codes when custom hash handlers are not implemented.

This design characteristic creates predictable patterns that attackers can manipulate.

The vulnerability centers on NSDictionary hash table manipulation, where attackers insert carefully constructed NSNumber keys that correspond to specific hash buckets.

By analyzing the serialization order of keys in re-serialized NSDictionary objects, attackers can determine hash bucket locations and extract valuable information about memory addresses.

The practical implementation involves transmitting approximately 50KB of specially crafted serialized data containing multiple NSDictionary instances with precise patterns of NSNumber and NSNull keys.

When target applications process this data through deserialization and re-serialization cycles, the resulting element ordering reveals critical information about the NSNull singleton’s memory address.

Security Implications and Mitigation

While this vulnerability represents a theoretical attack vector with no demonstrated real-world impact, it illustrates how pointer-based hashing mechanisms in keyed data structures can create unexpected information disclosure channels.

The technique could potentially be integrated with other exploitation methods to defeat ASLR protections systematically, significantly increasing the reliability of memory corruption attacks.

Apple addressed this vulnerability in their March 31, 2025, security release through comprehensive framework updates.

The most effective long-term mitigation strategies involve avoiding object addresses as lookup keys or implementing keyed hash functions to minimize potential address leaks to pointer equality oracles.

Project Zero reported this issue directly to Apple without utilizing their public bug tracker due to the absence of identified real-world attack surfaces.

This disclosure approach reflects the theoretical nature of the vulnerability while ensuring appropriate vendor notification for remediation efforts.

This research contributes to the broader understanding of serialization security and highlights previously unexplored attack vectors within system-level frameworks.

The work builds upon established research in hash collision attacks while introducing novel approaches to information disclosure through legitimate serialization mechanisms.

The disclosure emphasizes the critical importance of implementing secure serialization practices and carefully evaluating the security implications of pointer-based hashing mechanisms in system frameworks.

As serialization becomes increasingly prevalent in modern applications, understanding these subtle attack vectors becomes essential for maintaining robust security postures across complex software ecosystems.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Google Project Zero – NSDictionary Serialization Enables ASLR Address Disclosure on Apple OSes appeared first on Cyber Security News.