Seems like the high-level lesson is that tagged unions as traditionally implemented can be vulnerable in a manner that pointer/address-focused mitigations don’t affect?

Indeed, a small integer tag seems much more vulnerable than a C++ virtual table pointer.

On modern hardware, how much is the penalty for using magic numbers instead of small indices? (A magic number meaning a constant like 0x85adb9ad instead of 2). The compiler can't optimize switch(it->type) using a jump table, but I suspect that branch prediction and speculation makes this optimization barely relevant.

A jump table isn't likely used for very small unions anyways. The biggest downside that I see is that comparing with zero is slightly cheaper if that is a common value.

At the very end, there is speculation that things like this might get manual inclusion in these mitigations grounded in parts of Ivan Krstić's Black Hat talk from last year.

Huh, I submitted this two days ago -- why does it say two hours ago?

dang talks about the "second chance" queue here: https://news.ycombinator.com/item?id=11662380

Sometimes they see a post that didn't get attention, and so they re-up it. Usually, but not always, you get an email to let you know.

Thanks, that was it! (I didn't get an email.)

I think you always get the email, perhaps it went into your spam folder?

The first time I saw such an email I felt great!! Look for it.

It's common for mods to game the system and resubmit stories they believe are good.

It's the invited post list: https://news.ycombinator.com/invited

Not sure why this is downvoted. They do do that.

Likely because "game the system" has a strong negative connotation that seems unwarranted.

Only if you can actually speak to the motivation behind the act.... right?

Assuming this was reposted 'automatically' you should have received an email from HN at the email associated with your HN account telling you that it was going to happen. At least I have received such emails in the past.

What do I need to learn to understand this 100%?

In somewhat increasing order of specificity (and decreasing additional understanding): computers, C, memory safety, newer cross-platform security mitigations, XNU, iOS-specific security mitigations, iOS exploitation techniques, Project Zero's previous work.

The amount of work put into the exploit, the breadth of low-level knowledge involved, and the number of moving parts required for the successful privilege escalation is impressive, to say the least.

I suspect that getting thought this all took months, considering that iOS runs on platforms not exactly open for experimentation of such a kind.

The LotR section headings were a nice touch

So what does it mean?!

iOS has a lot of layers and mitigations both in software and proprietary hardware that aren't found in other systems. Keep in mind that this story would be 20 % the length on other systems, because "physical memory read/write primitive" would be a total break.

I should note that PPL is not designed to protect against the kinds of attack described in this article; it's really meant to prevent substitution of forged page tables and by coincidence the address chosen by the author ended up being unmappable due to an attempt to protect against virtual memory read/write in the kernel.

thanks for that.

My linked list of these comments will continue to grow until you stop doing this: https://news.ycombinator.com/item?id=23504129

I really don't see the problem with this, finding vulnerabilities is hard work and many times the results are used for nefarious purposes.

You seem to be concerned that Project Zero would be used as marketing material against competitors but I saw no sign of that.

Apple should thank Google for the high quality free labor.

FYI, it's not just Project Zero. Zerodium stopped paying for iOS exploits due to oversupply[1][2]

[1]: https://appleinsider.com/articles/20/05/14/software-bug-brok...

[2]: https://twitter.com/Zerodium/status/1260541578747064326

Pretty sure Google follows responsible disclosure - https://en.wikipedia.org/wiki/Responsible_disclosure. Also it actually helps Apple, as Google team discovered it before it being exploited in the wild.