Google Project Zero has uncovered a sophisticated technique for bypassing Address Space Layout Randomization (ASLR) protections on Apple devices, targeting a fundamental issue in Apple’s serialization framework. Security researcher Jann Horn described how deterministic behaviors in NSKeyedArchiver and NSKeyedUnarchiver could enable attackers to leak memory pointer values without exploiting conventional bugs or timing-based side channels.
The vulnerability centers on the interaction between singleton objects, pointer-based hash values, and serialization routines. Specifically, Horn identified that NSNull—a singleton object within Apple’s Core Foundation (CFNull)—exposes its memory address through its hash value. Because this object resides in a fixed location in the shared cache, it creates a reliable oracle for leaking memory addresses, defeating standard ASLR defenses.
Attackers can exploit this by crafting malicious serialized input which, when de-serialized and then re-serialized by a victim application, can allow inference of key memory locations. By leveraging the predictable hashing of NSNumber keys and understanding how NSDictionary structures its internal hash table based on prime-numbered bucket counts, an attacker controls where keys are placed during serialization. The relative position of the NSNull key reveals the outcome of hash_code % num_buckets, letting attackers deduce the memory address used by NSNull.
Scaling this approach involves using dictionaries with different prime-sized bucket counts, repeatedly measuring key placements, and applying the Extended Euclidean Algorithm. This enables precise reconstruction of the NSNull pointer address. Horn’s proof-of-concept demonstrated the feasibility, though no real-world application was found with this pattern in production services. The attacker’s tooling involved generating specialized serialized input and computing memory addresses after receiving the victim’s output.
Apple addressed the issue in its March 31, 2025 security updates. Horn cautioned against frameworks using raw memory addresses as hash values, especially when those addresses are static, and recommended strict allowlisting during deserialization, not returning re-serialized attacker input, and keeping outputs within trusted boundaries—aligning with broader best practices for deserialization risks.
Horn linked this exploit to earlier research on hash-based attacks, such as hashDoS, but highlighted that this method exploits hash order determinism for information leakage rather than denial-of-service. Ultimately, the finding broadens the understanding of how seemingly safe serialization behavior can be weaponized, and underscores the importance of robust serialization hygiene in software security.
