[jprx]

Hi! I think I can clear a few things up here.

Our goal is to demonstrate that we can learn the PAC for a kernel pointer from userspace. Just demonstrating that this is even possible is a big step in understanding of how mitigations like pointer authentication can be thought of in the spectre era.

We do not aim to be a zero day, but instead aim to be a way of thinking about attacks/ an attack methodology.

The timer used in the attack does not require a kext (we just use the kext for doing reverse engineering) but the attack itself never uses the kext timer. All of the attack logic lives in userspace.

Provided the attacker finds a suitable PACMAN Gadget in the kernel (and the requisite memory corruption bug), they can conduct our entire attack from userspace with our multithread timer. You are correct that the PACMAN Gadget we demonstrate in the paper does live in a kext we created, however, we believe PACMAN Gadgets are readily available for a determined attacker (our static analysis tool found 55,159 potential spots that could be turned into PACMAN Gadgets inside the 12.2.1 kernel).

Our paper is available at our website: https://pacmanattack.com/paper.pdf

[ben7799]

Something definitely went wrong here though that more guidance was not provided to the tech journalists.

Most of the mainstream articles make it seem like they a) did not read the paper b) are incapable of understanding the paper c) were not provided any guidance about what any of this actually means in the real world.

Which is all scary as the paper is well written and very accessible IMO.

[bee_rider]

Based on the article, I think the journalist basically understands the situation (and if they don't, they should investigate further, that's the job). The headline is just intentionally over-dramatic to get clicks. This shouldn't be treated as a good-faith error, more guidance isn't required and wouldn't help.

[rmbyrro]

It's sad that we reached a point where assuming bad faith from public informers is acceptable and, worse, reasonable.

[jonathanwallace]

Worth noting that someone else usually writes the headline for the articles, not the journalist / the author of an article.

[thereddaikon]

OK, but that doesn't excuse things. There's a problem with journalism and its mostly about how they are incentivized and compensated. I don't know what the fix is but its clear that trust is so low, and rightfully so that journalism has largely failed as an industry at its job.

[not2b]

Journalism is paid for by ads, mostly. For online journalism, unless people click there is no money to pay the producers. Hence clickbait. This is a problem but there are worse problems.

[Aeolun]

Expected, yes. Reasonable or acceptable, no.

But what can you do about it?

[TrevorJ]

>Most of the mainstream articles make it seem like they a) did not read the paper b) are incapable of understanding the paper

This seems pretty par for the course in terms of science/tech journalism to be honest.

[nomel]

> It's kind of ridiculous it's getting this kind of press

> Something definitely went wrong here though

Both of these have the same reason: it's about Apple. I know someone that avoids telling people that they work at Apple, to avoid similar drama.

[cyanydeez]

I mean, it's been like months of random press about the M1 despite there being anything special other than , _Apple_ so that's basically what you get when your marketing is super effective.

[marcosdumay]

a) did not read the paper

Yeah, that's a given. Journalists do not have time for optional tasks.

b) are incapable of understanding the paper

That's a safe bet.

c) were not provided any guidance

Asking for guidance or clarifications is another one of those optional tasks.

[nl]

Clearly "did not read the article" applies to some internet commentators.

The article is pretty good and shows good understanding of what the attack is.

[azinman2]

Welcome to tech journalism.

[opheliate]

Just tech journalism? :) https://en.wikipedia.org/wiki/Michael_Crichton#GellMannAmnes...

[sirspacey]

Welcome to journalism.

[rTX5CMRXIfFG]

It’s not just a problem with journalism but with humans in general. People are more imprecise with their comprehension of things than they are willing to admit.

[highwaylights]

How many synonyms did you try before you landed on “imprecise”?

It’s a very diplomatic choice. Moreso than I’d have gone with. I admire your restraint!

[SantalBlush]

Thank you. Even here on HN, plenty of folks will comment on all kinds of research they know little about.

[passivate]

> Even here on HN, plenty of folks will comment on all kinds of research they know little about.

I don't see anything wrong with that, because all opinions are not equal.

I think there is some level of pressure to get one's word in quickly, otherwise the nebulous cloud of commenters moves on to the next story, and your well-thought-out comment that took hours to write is seen by no-one. If you're responding to someone hoping to get into a nice conversation, you're out of luck since they have no idea you just responded to them.

[JohnJamesRambo]

Any thread about nutrition is so painful here.

[thibauts]

Welcome to advertising driven journalism.

[Fnoord]

If the information was given solely to public security experts with blog presence (Matthew Green, Bruce Schneier, and a plethora of others) we could've linked to them and either ignore the 'clickbait middleman' or do most of the work for them allowing them an easier time to write up something half decent.

[steelframe]

Matthew Green once publicly criticized something I created by simply parroting what someone else had said without bothering to do his own investigation. The original criticism turned out to be hogwash, and Matthew failed to recognize an obvious real crypto problem with the first version of my feature because he was too busy trying to just quickly stick his name into someone else's feature announcement while it was still "hot off the press."

I would take anything Matthew Green blogs about with a grain of salt. It's not clear how much of what he says is just cheap amplification of what others claim.

[DSingularity]

MG shows here that even a small dose of fame can ruin the biggest of nerds.

[geerlingguy]

I can imagine some of the Tech YouTube channel headlines this week:

"Apple is DOOMED!"

"Turn off your iPhone, Apple's security BUSTED!"

[chihuahua]

Youtube titles with CAPITALIZED words make me sad. I don't want to click on any video with a title like that, but creators are incentivized to use those titles because they get more views. Some fine videos end up with those titles and I would miss out on some good stuff if I refuse to click on clickbait titles.

[nl]

The Techcrunch article is well written and I thought summarises this rather well.

The headline is pretty reasonable too. Apple can't patch this, and as other commentators point out subsequent attack techniques are only going to make this flaw worse.

[ksec]

Everything you listed are at the very end of the list of things that matter to modern day Journalist. If they even make the list.

But reading your comment does sort of put a smile on my face though. The what others would called a non-cynical world view.

[jazzyjackson]

d) were given about 90 minutes to write the article

[slime3377]

95% of journalism is at this level of understanding for anything non liberal arts that is commonly offered as a 4 year degree, and has been for as long as journalism has existed.

[fulafel]

I really sympathise how your research is being misunderstood based on the reporting and responses to the press stuff missing the main point. And everyone equating modern ARM with "M1".. Anyway, awesome work! Let's hope pointer authentication gets a thorough treatment from the research community and you and other people can build further exciting results on your work!

[vinay_ys]

Given there are "55,159 potential spots that could be turned into PACMAN Gadgets" do you think it is highly probably this attack is now part of a zero-day kill-chain?

[ungamed]

100% chance.

[egberts1]

Yep, 100% chance. (Despite the above downvotes, and this is coming from a JavaScript engine researcher).

[ungamedplayer]

Yeah, I work on Linux security for a big Red I mean Blue, company. Wrote poc for spectre/meltdown and more, but what do I know. ;)

[KennyBlanken]

You didn't clear up anything about publicizing this heavily in mainstream press before it's been reviewed by your peers.

[elseless]

It has been reviewed by the author’s peers — it was accepted to ISCA ‘22.

[nostrebored]

What are you hoping for here? Look at the facts as written.