SlideShare a Scribd company logo

CanSecWest 2017 - Port(al) to the iOS Core

ā€¢
ā€¢
Stefan Esser
Stefan Esser

Introduction to a previously private iOS Kernel Exploitation Technique

Technology
1 of 51
Download to read offline
Port(al) to the iOS Core Introduction to a previously private iOS Kernel Exploitation Technique March, 2017
| Ā© 2017 by ANTID0TE All rights reserved Who am I? ā€¢ Stefan Esser ā€¢ from Germany ā€¢ in Information Security since 1998 ā€¢ SektionEins GmbH from (2007 - 2016) ā€¢ Antid0te UG (2013 - now) 2
| Ā© 2017 by ANTID0TE All rights reserved What is this talk about? ā€¢ a ā€œnewā€ (set of) iOS kernel exploitation technique(s) ā€¢ previously only discussed in my iOS Kernel Exploitation trainings ā€¢ part of teaching material since around 2015 ā€¢ trainee from Dec 2016 leaked it within one month to developers of Yalu ā€¢ who then distributed an iOS 10.2 jailbreak using this technique in Jan 2017 3
| Ā© 2017 by ANTID0TE All rights reserved Previous iOS Kernel Heap Feng Shui / Exploitation Techniques ā€¢ BlackHat 2012 - iOS Kernel Heap Armageddon Revisited ā€“ Author: Stefan Esser ā€“ Idea: Fill kernel heap with C++ objects via OSUnserializeXML() and overwrite them ā€“ Status: Apple mitigated but a slightly modified technique still usable in iOS 10 ā€¢ Hack In The Box 2012 - iOS 6 Security ā€“ Author(s): Mark Dowd / Tarjei Mandt ā€“ Idea: Fill heap with vm_copy_t structures and get information leaks and extended buffer overflows from overwriting them ā€“ Status: Apple added mitigations so that technique got less and less valuable 4
| Ā© 2017 by ANTID0TE All rights reserved Status of public iOS Kernel Exploitation ā€¢ everybody is using the public heap feng shui techniques ā€¢ bugs are often overflows or UAF ā€¢ exploitation often targets vm_map_copy_t or kernel C++ objects ā€¢ Apple keeps adding mitigations against the publicly seen techniques ā€¢ public techniques become less and less usable āž” we need a different / new technique 5
| Ā© 2017 by ANTID0TE All rights reserved Ingredients of our Kernel Exploitation Technique(s) 1. idea for a different / new kernel data structure to attack 2. way to fill the kernel heap with this structure or pointers to it 3. strategy how to continue once overwritten 6
| Ā© 2017 by ANTID0TE All rights reserved What Kernel Data Structure should we attack? ā€¢ there are for sure many data structures in the kernel ā€¢ but when you look at the Mach part of the kernel ā€¢ one data structure jumps into your face immediately āž” mach ports! 7
What are Mach Ports?
| Ā© 2017 by ANTID0TE All rights reserved What are Mach Ports? ā€¢ likely the most important data structure in Mach part of kernel ā€¢ have multiple purposes ā€“ act like handles to kernel objects / subsystems ā€“ allow sending / receiving messages for IPC ā€¢ stored internally in ipc_port_t structure 9
| Ā© 2017 by ANTID0TE All rights reserved ipc_port_t (I) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 10 struct ipc_port { /* * Initial sub-structure in common with ipc_pset * First element is an ipc_object second is a * message queue */ struct ipc_object ip_object; struct ipc_mqueue ip_messages; union { struct ipc_space *receiver; struct ipc_port *destination; ipc_port_timestamp_t timestamp; } data; union { ipc_kobject_t kobject; ipc_importance_task_t imp_task; uintptr_t alias; } kdata; struct ipc_port *ip_nsrequest; struct ipc_port *ip_pdrequest; struct ipc_port_request *ip_requests; struct ipc_kmsg *ip_premsg; mach_port_mscount_t ip_mscount; mach_port_rights_t ip_srights; mach_port_rights_t ip_sorights;
| Ā© 2017 by ANTID0TE All rights reserved ipc_port_t (II) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 11 natural_t ip_sprequests:1, /* send-possible requests outstanding */ ip_spimportant:1, /* ... at least one is importance donating */ ip_impdonation:1, /* port supports importance donation */ ip_tempowner:1, /* dont give donations to current receiver */ ip_guarded:1, /* port guarded (use context value as guard) */ ip_strict_guard:1, /* Strict guarding; Prevents user manipulation of context values directly */ ip_reserved:2, ip_impcount:24; /* number of importance donations in nested queue */ mach_vm_address_t ip_context; #if MACH_ASSERT #define IP_NSPARES 4 #define IP_CALLSTACK_MAX 16 queue_chain_t ip_port_links; /* all allocated ports */ thread_t ip_thread; /* who made me? thread context */ unsigned long ip_timetrack; /* give an idea of "when" created */ uintptr_t ip_callstack[IP_CALLSTACK_MAX]; /* stack trace */ unsigned long ip_spares[IP_NSPARES]; /* for debugging */ #endif /* MACH_ASSERT */ };
| Ā© 2017 by ANTID0TE All rights reserved ipc_object_t (I) common data structure for IPC objects like ports defined in /osfmk/ipc/ipc_object.h 12 /* * The ipc_object is used to both tag and reference count these two data * structures, and (Noto Bene!) pointers to either of these or the * ipc_object at the head of these are freely cast back and forth; hence * the ipc_object MUST BE FIRST in the ipc_common_data. * * If the RPC implementation enabled user-mode code to use kernel-level * data structures (as ours used to), this peculiar structuring would * avoid having anything in user code depend on the kernel configuration * (with which lock size varies). */ struct ipc_object { ipc_object_bits_t io_bits; ipc_object_refs_t io_references; lck_spin_t io_lock_data; };
| Ā© 2017 by ANTID0TE All rights reserved Ports as Handles to Kernel Objects / Data Structures ā€¢ io_bits field filled with kobject type ā€¢ receiver field points to ipc_space_kernel ā€¢ kobject field points to kernel data structure 13
| Ā© 2017 by ANTID0TE All rights reserved Possible Kobject Types IPC Kobject types are defined in /osfmk/ipc/ipc_kobject.h 14 #define IKOT_NONE 0 #define IKOT_THREAD 1 #define IKOT_TASK 2 #define IKOT_HOST 3 #define IKOT_HOST_PRIV 4 #define IKOT_PROCESSOR 5 #define IKOT_PSET 6 #define IKOT_PSET_NAME 7 #define IKOT_TIMER 8 #define IKOT_PAGING_REQUEST 9 #define IKOT_MIG 10 #define IKOT_MEMORY_OBJECT 11 #define IKOT_XMM_PAGER 12 #define IKOT_XMM_KERNEL 13 #define IKOT_XMM_REPLY 14 #define IKOT_UND_REPLY 15 #define IKOT_HOST_NOTIFY 16 #define IKOT_HOST_SECURITY 17 #define IKOT_LEDGER 18 #define IKOT_MASTER_DEVICE 19 #define IKOT_TASK_NAME 20 #define IKOT_SUBSYSTEM 21 #define IKOT_IO_DONE_QUEUE 22 #define IKOT_SEMAPHORE 23 #define IKOT_LOCK_SET 24 #define IKOT_CLOCK 25 #define IKOT_CLOCK_CTRL 26 #define IKOT_IOKIT_SPARE 27 #define IKOT_NAMED_ENTRY 28 #define IKOT_IOKIT_CONNECT 29 #define IKOT_IOKIT_OBJECT 30 #define IKOT_UPL 31 #define IKOT_MEM_OBJ_CONTROL 32 #define IKOT_AU_SESSIONPORT 33 #define IKOT_FILEPORT 34 #define IKOT_LABELH 35 #define IKOT_TASK_RESUME 36 #define IKOT_VOUCHER 37 #define IKOT_VOUCHER_ATTR_CONTROL 38
| Ā© 2017 by ANTID0TE All rights reserved Examples ā€¢ kobject always points to an IKOT specified data structure 15
What are Mach Messages?
| Ā© 2017 by ANTID0TE All rights reserved What are Mach Messages? ā€¢ data structures sent to or received from Mach Ports ā€“ header with routing information for kernel ā€“ optionally descriptors for COMPLEX messages ā€“ data that is only between sender and receiver ā€¢ used for IPC and the Mach API ā€¢ sent to kernel via mach traps 17
| Ā© 2017 by ANTID0TE All rights reserved Simple vs. Complex Messages ā€¢ simple messages are just data blobs ā€¢ complex messages contain descriptors with special meaning for kernel ā€“ MACH_MSG_PORT_DESCRIPTOR - embedding a port in a message ā€“ MACH_MSG_OOL_DESCRIPTOR - attaching OOL data to message ā€“ MACH_MSG_OOL_PORTS_DESCRIPTOR - attaching OOL ports array to message 18 typedef struct { mach_msg_header_t header; char body[]; } mach_msg_simple_t; typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_descriptor_t desc[x]; char data[]; } mach_msg_complex_t;
| Ā© 2017 by ANTID0TE All rights reserved Mach Message Header 19 typedef struct { mach_msg_bits_t msgh_bits; mach_msg_size_t msgh_size; mach_port_t msgh_remote_port; mach_port_t msgh_local_port; mach_port_name_t msgh_voucher_port; mach_msg_id_t msgh_id; } mach_msg_header_t; where to send to where to get reply from id between sender and receiver
| Ā© 2017 by ANTID0TE All rights reserved Sending and Receiving Messages ā€¢ Mach messages are sent via mach traps 20 mach_msg_return_t mach_msg(msg, option, send_size, rcv_size, rcv_name, timeout, notify) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_size; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_return_t mach_msg_overwrite(msg, option, send_size, rcv_limit, rcv_name, timeout, notify, rcv_msg, rcv_scatter_size) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_limit; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_header_t *rcv_msg; mach_msg_size_t rcv_scatter_size;
| Ā© 2017 by ANTID0TE All rights reserved Sending Mach Messages (Function Overview) 21
| Ā© 2017 by ANTID0TE All rights reserved What is the Mach API? ā€¢ programming interface offering huge number of functions ā€¢ internally converts C style function calls into messages ā€¢ first parameter is always the kernel object port to send message to ā€¢ usually they manipulate the objects behind the kernel object ports ā€¢ special code path detects if receiver=ipc_space_kernel ā€¢ headerā€™s id field selects what API is called 22
| Ā© 2017 by ANTID0TE All rights reserved Mach API Example: vm_write() ā€¢ C level call to vm_write() automatically converted into Mach message ā€“ target_task set as remote port ā€“ id set to 3807 23 typedef struct { mach_msg_header_t Head; /* start of the kernel processed data */ mach_msg_body_t msgh_body; mach_msg_ool_descriptor_t data; /* end of the kernel processed data */ NDR_record_t NDR; vm_address_t address; mach_msg_type_number_t dataCnt; } __Request__vm_write_t; kern_return_t vm_write (vm_task_t target_task, vm_address_t address, pointer_t data, mach_msg_type_number_t data_count);
Heap-Feng-Shui for Ports?
| Ā© 2017 by ANTID0TE All rights reserved Ports as Target ā€¢ kernel object ports point to kernel data structures ā€¢ overwriting/replacing them would allow calling APIs on fake data structures ā€¢ wide variety of IKOT types means many types to choose from ā€“ IKOT_FILEPORT - fileglob structure has function pointer list ā€“ IKOT_IOKIT_CONNECT - C++ object with vtable pointer ā€“ ā€¦ 25
| Ā© 2017 by ANTID0TE All rights reserved Filling the Heap with Ports? ā€¢ so should we create a lot of ports to fill the heap? ā€¢ would be possible but ports are stored in their own memory zone ā€¢ memory corruptions usually involve other memory zones ā€¢ cross zone attacks are possible but not KISS āž” letā€™s add a level of indirection 26
| Ā© 2017 by ANTID0TE All rights reserved Filling the Heap with Pointers to Ports? ā€¢ instead of filling the heap with ipc_port_t structures fill it with pointers ā€¢ overwriting a pointer to an ipc_port_t still allows to create a fake port ā€¢ idea is that pointers are likely allocated in same memory zones as buffers ā€¢ when in same memory zone exploitation gets a lot easier 27
| Ā© 2017 by ANTID0TE All rights reserved How to fill the memory with Port pointers? ā€¢ we can fill the memory with pointers to ports by Mach messages ā€¢ we use MACH_MSG_OOL_PORTS_DESCRIPTOR for this ā€¢ kernel will allocate memory via kalloc() to store pointers in memory ā€¢ arbitrary sized allocations by sending right amount of ports 28 /* calculate length of data in bytes, rounding up */ ports_length = count * sizeof(mach_port_t); names_length = count * sizeof(mach_port_name_t); if (ports_length == 0) { return user_dsc; } data = kalloc(ports_length);
| Ā© 2017 by ANTID0TE All rights reserved How to fill the memory with Port pointers? (II) ā€¢ sending enough messages will fill up the heap pretty quickly ā€¢ we can send MACH_PORT_NULL or MACH_PORT_DEAD 29
| Ā© 2017 by ANTID0TE All rights reserved Poking holesā€¦ ā€¢ poking holes in the allocation is done by receiving selected messages ā€¢ kernel code will free the previously allocated memory ā€¢ deallocation is fine grained because we select what messages to receive ā€¢ keep in mind the heap randomization since iOS 9.2 30 /* copyout to memory allocated above */ void *data = dsc->address; if (copyoutmap(map, data, rcv_addr, names_length) != KERN_SUCCESS) *mr |= MACH_MSG_VM_SPACE; kfree(data, ports_length);
| Ā© 2017 by ANTID0TE All rights reserved Corrupting Port Pointers ā€¢ when messages are received all ports within are registered in IPC space ā€¢ corrupting any of the allocated pointer lists allows injecting a fake port ā€¢ user space can access the fake port 31 /* copyout port rights carried in the message */ for ( i = 0; i < count ; i++) { ipc_object_t object = (ipc_object_t)objects[i]; *mr |= ipc_kmsg_copyout_object(space, object, disp, &names[i]); }
Faking Ports
| Ā© 2017 by ANTID0TE All rights reserved How to fake a port? (I) ā€¢ fake pointer must point to something that looks like a port ā€¢ we need to setup a number of fields for our port to work ā€“ io_bits - select one of the possible types and make it active ā€“ io_references - better give it some references ā€“ io_lock_data - must be valid lock data ā€“ kobject - pointer to a fake data structure ā€“ receiver - we cannot fill out because we donā€™t know ipc_space_kernel 33
| Ā© 2017 by ANTID0TE All rights reserved How to fake a port? (II) ā€¢ fake port and fake data must be in attacker controlled memory ā€¢ it is required to know address of that memory ā€¢ easy to do for 64 bit devices (except iPhone 7) because of user land dereferences ā€¢ requires additional information leaks for iPhone 7 and 32 bit devicesā€Ø (unless already privileged outside the sandbox) 34
| Ā© 2017 by ANTID0TE All rights reserved What can we do with such a faked port? ā€¢ because we cannot fill in receiver not a fully usable port ā€¢ it works fine when used as argument to ā€“ syscalls ā€“ mach traps ā€“ as additional parameter Mach API (not 1st argument) ā€¢ but it will NOT work as first argument to a MachAPIā€Ø (for this we need the receiver to be ipc_space_kernel) 35
| Ā© 2017 by ANTID0TE All rights reserved Some Examples ā€¢ some examples of ports we can fake ā€“ IKOT_IOKIT_CONNECT - driver connection to a IOUserClient derived object ā€“ IKOT_CLOCK - clock object ā€“ IKOT_TASK - task object 36
| Ā© 2017 by ANTID0TE All rights reserved Faking IOKit Driver Connection Ports ā€¢ ports of type IKOT_IOKIT_CONNECT can be used via iokit_user_client_trap() ā€¢ kobject pointer points to a C++ object ā€¢ good target because it allows control of the method table ā€¢ see ā€œHITB2013 - Tales from iOS 6 Exploitationā€ for example 37
| Ā© 2017 by ANTID0TE All rights reserved Faking Clock Ports (I) ā€¢ ports of type IKOT_CLOCK can be used via clock_sleep_trap() ā€¢ kobject pointer points to a struct clock ā€¢ looks like a good target because there is a function pointer list 38 /* * Actual clock object data structure. Contains the machine * dependent operations list and clock operation ports. */ struct clock { clock_ops_t cl_ops; /* operations list */ struct ipc_port *cl_service; /* service port */ struct ipc_port *cl_control; /* control port */ }; pointer to list of function pointers
| Ā© 2017 by ANTID0TE All rights reserved Faking Clock Ports (II) ā€¢ code of clock_sleep_internal() will not allow a fake clock struct ā€¢ only the valid SYSTEM_CLOCK pointer is accepted ā€¢ otherwise function errors out - triggering code execution not possible 39 validation against our fake clock struct pointer if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE);
| Ā© 2017 by ANTID0TE All rights reserved if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE); Faking Clock Ports (III) ā€¢ wait a second! ā€¢ a wrong clock pointer will lead to KERN_FAILURE ā€¢ a good pointer with bad other arguments leads to KERN_INVALID_VALUE 40 error if our pointer is not pointing to the SYSTEM_CLOCK error if our pointer was okay but other arguments bad
| Ā© 2017 by ANTID0TE All rights reserved Faking Clock Ports (IV) ā€¢ if we can change kobject we can bruteforce the SYSTEM_CLOCK address ā€¢ userland dereference makes this easy on 64 bit pre iPhone 7 ā€¢ this reveals pointer inside kernel image and therefore breaks KASLR 41 our_fake_port->io_bits = IKOT_CLOCK | IO_BITS_ACTIVE; our_fake_port->kobject = low_kernel_address; while (1) { our_fake_port->kobject+= 8; kret = clock_sleep_trap(magicport, 0x12345, 0, 0, NULL); if (kret != KERN_FAILURE) { break; } }
| Ā© 2017 by ANTID0TE All rights reserved Faking Task Ports (I) ā€¢ ports of type IKOT_TASK have kobject pointer pointing to a task struct ā€¢ unfortunately cannot be used directly in task Mach API functions ā€¢ but there are other usages like ā€Ø ā€Ø pid_for_task() - return the pid for a given task 42 t1 = port_name_to_task(t); if (t1 == TASK_NULL) { err = KERN_FAILURE; goto pftout; } else { p = get_bsdtask_info(t1); if (p) { pid = proc_pid(p); reads pointer to struct proc from our fake struct task returns pid from without struct proc
| Ā© 2017 by ANTID0TE All rights reserved Faking Task Ports (II) ā€¢ our fake IKOT_TASK port points to a fake task struct ā€¢ the bsd_info fields points anywhere in memory ā€¢ pid_for_task() will read back at offset 0x10 ā€¢ allows to read from anywhere in kernel memory 43
| Ā© 2017 by ANTID0TE All rights reserved Faking Task Ports (III) ā€¢ if we can change kobject we can read everything ā€¢ userland dereference makes this easy on 64 bit pre iPhone 7 ā€¢ this allows to read important variables like ipc_space_kernel ā€¢ this means afterwards we can use Mach API with our fake port 44
Our Port(al) to the Core Kernel Task Port
| Ā© 2017 by ANTID0TE All rights reserved Kernel Task Port ā€¢ among all the ports in an iOS system the kernel task port is the holy grail ā€¢ with access to the kernel task port we can manipulate the kernel memory ā€“ vm_read - allows reading kernel memory ā€“ vm_write - allows writing kernel memory ā€“ vm_allocate - allows allocating memory inside the kernel address space ā€“ ā€¦ ā€¢ whoever has access to the kernel task port more or less controls the system ā€¢ to turn out fake task port into a kernel task port we need to know kernel_task and ipc_space kernel 46
| Ā© 2017 by ANTID0TE All rights reserved Attack Plan for 64 bit devices (except iPhone 7) ā€¢ Corruption Phase - perform heap feng shui with OOL_PORTS_DESCRIPTORS - corrupt any of the ā€œsprayedā€ port pointers - receive all messages to get access to port ā€¢ Post Corruption Phase - fake a CLOCK port to break KASLR - via bruteforce of clock address - fake a TASK port and TASK struct to have arbitrary kernel read - read ipc_space_kernel and kernel_task - fake a kernel TASK port 47
| Ā© 2017 by ANTID0TE All rights reserved Faking the KERNEL TASK Port (I) ā€¢ with ipc_space_kernel our fake ports can be used in Mach API ā€¢ with kernel_task we can fake a kernel task port ā€¢ mach API gives us read/write access to kernel memory ā€¢ Game Over! 48
Conclusion
| Ā© 2017 by ANTID0TE All rights reserved Conclusion ā€¢ overwriting port pointers ā€“ allows to gain code execution ā€“ or full read write access to kernel memory ā€¢ heap feng shui with mach messages and OOL_PORTS_DESCRIPTOR ā€“ gives fine grained control over heap ā€“ fills heap with port pointers that when corrupted ā€¢ post corruption code is fully reusable for different corruptions (64bit before i7) 50
Questions ? www.antid0te.com stefan@antid0te.com Ā© 2017 by ANTID0TE. All rights reserved

Recommended

Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
Ā 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
Ā 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
Ā 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringPositive Hack Days
Ā 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
Ā 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
Ā 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
Ā 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
Ā 

Recommended

Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
Ā 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
Ā 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
Ā 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringPositive Hack Days
Ā 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
Ā 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
Ā 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
Ā 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
Ā 
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęعCODE BLUE
Ā 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
Ā 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
Ā 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
Ā 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
Ā 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
Ā 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
Ā 
Google V8 engine
Google V8 engineGoogle V8 engine
Google V8 engineXuĆ¢n Thu Nguyį»…n
Ā 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
Ā 
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œOverlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œKwen Won Lee
Ā 
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØmao999
Ā 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL ReloadedAnthony LAOU-HINE TSUEI
Ā 
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹Kuniyasu Suzaki
Ā 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
Ā 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
Ā 
TDOH x 台ē§‘ pwnčŖ²ē؋
TDOH x 台ē§‘ pwnčŖ²ē؋TDOH x 台ē§‘ pwnčŖ²ē؋
TDOH x 台ē§‘ pwnčŖ²ē؋Weber Tsai
Ā 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
Ā 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcachedJurriaan Persyn
Ā 
Percona toolkit
Percona toolkitPercona toolkit
Percona toolkitKarwin Software Solutions LLC
Ā 
Fast boot
Fast bootFast boot
Fast bootSZ Lin
Ā 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
Ā 
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2Sangho Park
Ā 

More Related Content

What's hot

[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęعCODE BLUE
Ā 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
Ā 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
Ā 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
Ā 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
Ā 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
Ā 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
Ā 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
Ā 
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œOverlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œKwen Won Lee
Ā 
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØmao999
Ā 
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹Kuniyasu Suzaki
Ā 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
Ā 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
Ā 
TDOH x 台ē§‘ pwnčŖ²ē؋
TDOH x 台ē§‘ pwnčŖ²ē؋TDOH x 台ē§‘ pwnčŖ²ē؋
TDOH x 台ē§‘ pwnčŖ²ē؋Weber Tsai
Ā 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
Ā 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcachedJurriaan Persyn
Ā 
Fast boot
Fast bootFast boot
Fast bootSZ Lin
Ā 

What's hot (20)

[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
[CB16] House of Einherjar :GLIBCäøŠć®ę–°ćŸćŖćƒ’ćƒ¼ćƒ—ę“»ē”Ø惆ć‚Æ惋惃ć‚Æ by ę¾éšˆå¤§ęع
Ā 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Ā 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Ā 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Ā 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Ā 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Ā 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
Ā 
Google V8 engine
Google V8 engineGoogle V8 engine
Google V8 engine
Ā 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Ā 
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œOverlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Overlapped IOģ™€ IOCP ģ”°ģ‚¬ ė°œķ‘œ
Ā 
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
0ē«  Linuxć‚«ćƒ¼ćƒćƒ«ć‚’čŖ­ć‚€å‰ć«ęœ€ä½Žé™ēŸ„ć£ć¦ćŠćć¹ćć“ćØ
Ā 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL Reloaded
Ā 
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
ä»®ęƒ³åŒ–ęŠ€č”“ć«ć‚ˆć‚‹ćƒžćƒ«ć‚¦ć‚§ć‚¢åƾē­–ćØćć®å•é”Œē‚¹
Ā 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Ā 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Ā 
TDOH x 台ē§‘ pwnčŖ²ē؋
TDOH x 台ē§‘ pwnčŖ²ē؋TDOH x 台ē§‘ pwnčŖ²ē؋
TDOH x 台ē§‘ pwnčŖ²ē؋
Ā 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
Ā 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcached
Ā 
Percona toolkit
Percona toolkitPercona toolkit
Percona toolkit
Ā 
Fast boot
Fast bootFast boot
Fast boot
Ā 

Similar to CanSecWest 2017 - Port(al) to the iOS Core

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
Ā 
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2Sangho Park
Ā 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userAkihiro Suda
Ā 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
Ā 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
Ā 
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...Codemotion
Ā 
Kubernetes Architecture and Introduction ā€“ Paris Kubernetes Meetup
Kubernetes Architecture and Introduction ā€“ Paris Kubernetes MeetupKubernetes Architecture and Introduction ā€“ Paris Kubernetes Meetup
Kubernetes Architecture and Introduction ā€“ Paris Kubernetes MeetupStefan Schimanski
Ā 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
Ā 
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018 Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018 Codemotion
Ā 
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise GatewayStrata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise GatewayLuciano Resende
Ā 
An Introduction to the Kubernetes API
An Introduction to the Kubernetes APIAn Introduction to the Kubernetes API
An Introduction to the Kubernetes APIStefan Schimanski
Ā 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
Ā 
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_CompromisedCansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_CompromisedLiang Chen
Ā 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
Ā 
Operating Flink on Mesos at Scale
Operating Flink on Mesos at ScaleOperating Flink on Mesos at Scale
Operating Flink on Mesos at ScaleBiswajit Das
Ā 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopLinaro
Ā 
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5armmbed
Ā 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesJim St. Leger
Ā 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
Ā 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
Ā 

Similar to CanSecWest 2017 - Port(al) to the iOS Core (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Ā 
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
ė¦¬ėˆ…ģŠ¤ ė“œė¼ģ“ė²„ #2
Ā 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
Ā 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Ā 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
Ā 
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Ā 
Kubernetes Architecture and Introduction ā€“ Paris Kubernetes Meetup
Kubernetes Architecture and Introduction ā€“ Paris Kubernetes MeetupKubernetes Architecture and Introduction ā€“ Paris Kubernetes Meetup
Kubernetes Architecture and Introduction ā€“ Paris Kubernetes Meetup
Ā 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
Ā 
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018 Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Ā 
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise GatewayStrata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Ā 
An Introduction to the Kubernetes API
An Introduction to the Kubernetes APIAn Introduction to the Kubernetes API
An Introduction to the Kubernetes API
Ā 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
Ā 
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_CompromisedCansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Ā 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Ā 
Operating Flink on Mesos at Scale
Operating Flink on Mesos at ScaleOperating Flink on Mesos at Scale
Operating Flink on Mesos at Scale
Ā 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
Ā 
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
Ā 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Ā 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
Ā 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Ā 

More from Stefan Esser

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunWhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunStefan Esser
Ā 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
Ā 
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickSyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
Ā 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Ā 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
Ā 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
Ā 
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationBlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationStefan Esser
Ā 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
Ā 

More from Stefan Esser (8)

WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunWhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
Ā 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
Ā 
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickSyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
Ā 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Ā 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Ā 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Ā 
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationBlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
Ā 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Ā 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
Ā 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜RTylerCroy
Ā 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
Ā 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
Ā 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
Ā 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
Ā 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
Ā 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĆŗjo
Ā 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
Ā 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
Ā 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
Ā 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜
Ā 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Ā 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Ā 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ā 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Ā 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Ā 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Ā 

CanSecWest 2017 - Port(al) to the iOS Core

  • 1. Port(al) to the iOS Core Introduction to a previously private iOS Kernel Exploitation Technique March, 2017
  • 2. | Ā© 2017 by ANTID0TE All rights reserved Who am I? ā€¢ Stefan Esser ā€¢ from Germany ā€¢ in Information Security since 1998 ā€¢ SektionEins GmbH from (2007 - 2016) ā€¢ Antid0te UG (2013 - now) 2
  • 3. | Ā© 2017 by ANTID0TE All rights reserved What is this talk about? ā€¢ a ā€œnewā€ (set of) iOS kernel exploitation technique(s) ā€¢ previously only discussed in my iOS Kernel Exploitation trainings ā€¢ part of teaching material since around 2015 ā€¢ trainee from Dec 2016 leaked it within one month to developers of Yalu ā€¢ who then distributed an iOS 10.2 jailbreak using this technique in Jan 2017 3
  • 4. | Ā© 2017 by ANTID0TE All rights reserved Previous iOS Kernel Heap Feng Shui / Exploitation Techniques ā€¢ BlackHat 2012 - iOS Kernel Heap Armageddon Revisited ā€“ Author: Stefan Esser ā€“ Idea: Fill kernel heap with C++ objects via OSUnserializeXML() and overwrite them ā€“ Status: Apple mitigated but a slightly modified technique still usable in iOS 10 ā€¢ Hack In The Box 2012 - iOS 6 Security ā€“ Author(s): Mark Dowd / Tarjei Mandt ā€“ Idea: Fill heap with vm_copy_t structures and get information leaks and extended buffer overflows from overwriting them ā€“ Status: Apple added mitigations so that technique got less and less valuable 4
  • 5. | Ā© 2017 by ANTID0TE All rights reserved Status of public iOS Kernel Exploitation ā€¢ everybody is using the public heap feng shui techniques ā€¢ bugs are often overflows or UAF ā€¢ exploitation often targets vm_map_copy_t or kernel C++ objects ā€¢ Apple keeps adding mitigations against the publicly seen techniques ā€¢ public techniques become less and less usable āž” we need a different / new technique 5
  • 6. | Ā© 2017 by ANTID0TE All rights reserved Ingredients of our Kernel Exploitation Technique(s) 1. idea for a different / new kernel data structure to attack 2. way to fill the kernel heap with this structure or pointers to it 3. strategy how to continue once overwritten 6
  • 7. | Ā© 2017 by ANTID0TE All rights reserved What Kernel Data Structure should we attack? ā€¢ there are for sure many data structures in the kernel ā€¢ but when you look at the Mach part of the kernel ā€¢ one data structure jumps into your face immediately āž” mach ports! 7
  • 8. What are Mach Ports?
  • 9. | Ā© 2017 by ANTID0TE All rights reserved What are Mach Ports? ā€¢ likely the most important data structure in Mach part of kernel ā€¢ have multiple purposes ā€“ act like handles to kernel objects / subsystems ā€“ allow sending / receiving messages for IPC ā€¢ stored internally in ipc_port_t structure 9
  • 10. | Ā© 2017 by ANTID0TE All rights reserved ipc_port_t (I) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 10 struct ipc_port { /* * Initial sub-structure in common with ipc_pset * First element is an ipc_object second is a * message queue */ struct ipc_object ip_object; struct ipc_mqueue ip_messages; union { struct ipc_space *receiver; struct ipc_port *destination; ipc_port_timestamp_t timestamp; } data; union { ipc_kobject_t kobject; ipc_importance_task_t imp_task; uintptr_t alias; } kdata; struct ipc_port *ip_nsrequest; struct ipc_port *ip_pdrequest; struct ipc_port_request *ip_requests; struct ipc_kmsg *ip_premsg; mach_port_mscount_t ip_mscount; mach_port_rights_t ip_srights; mach_port_rights_t ip_sorights;
  • 11. | Ā© 2017 by ANTID0TE All rights reserved ipc_port_t (II) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 11 natural_t ip_sprequests:1, /* send-possible requests outstanding */ ip_spimportant:1, /* ... at least one is importance donating */ ip_impdonation:1, /* port supports importance donation */ ip_tempowner:1, /* dont give donations to current receiver */ ip_guarded:1, /* port guarded (use context value as guard) */ ip_strict_guard:1, /* Strict guarding; Prevents user manipulation of context values directly */ ip_reserved:2, ip_impcount:24; /* number of importance donations in nested queue */ mach_vm_address_t ip_context; #if MACH_ASSERT #define IP_NSPARES 4 #define IP_CALLSTACK_MAX 16 queue_chain_t ip_port_links; /* all allocated ports */ thread_t ip_thread; /* who made me? thread context */ unsigned long ip_timetrack; /* give an idea of "when" created */ uintptr_t ip_callstack[IP_CALLSTACK_MAX]; /* stack trace */ unsigned long ip_spares[IP_NSPARES]; /* for debugging */ #endif /* MACH_ASSERT */ };
  • 12. | Ā© 2017 by ANTID0TE All rights reserved ipc_object_t (I) common data structure for IPC objects like ports defined in /osfmk/ipc/ipc_object.h 12 /* * The ipc_object is used to both tag and reference count these two data * structures, and (Noto Bene!) pointers to either of these or the * ipc_object at the head of these are freely cast back and forth; hence * the ipc_object MUST BE FIRST in the ipc_common_data. * * If the RPC implementation enabled user-mode code to use kernel-level * data structures (as ours used to), this peculiar structuring would * avoid having anything in user code depend on the kernel configuration * (with which lock size varies). */ struct ipc_object { ipc_object_bits_t io_bits; ipc_object_refs_t io_references; lck_spin_t io_lock_data; };
  • 13. | Ā© 2017 by ANTID0TE All rights reserved Ports as Handles to Kernel Objects / Data Structures ā€¢ io_bits field filled with kobject type ā€¢ receiver field points to ipc_space_kernel ā€¢ kobject field points to kernel data structure 13
  • 14. | Ā© 2017 by ANTID0TE All rights reserved Possible Kobject Types IPC Kobject types are defined in /osfmk/ipc/ipc_kobject.h 14 #define IKOT_NONE 0 #define IKOT_THREAD 1 #define IKOT_TASK 2 #define IKOT_HOST 3 #define IKOT_HOST_PRIV 4 #define IKOT_PROCESSOR 5 #define IKOT_PSET 6 #define IKOT_PSET_NAME 7 #define IKOT_TIMER 8 #define IKOT_PAGING_REQUEST 9 #define IKOT_MIG 10 #define IKOT_MEMORY_OBJECT 11 #define IKOT_XMM_PAGER 12 #define IKOT_XMM_KERNEL 13 #define IKOT_XMM_REPLY 14 #define IKOT_UND_REPLY 15 #define IKOT_HOST_NOTIFY 16 #define IKOT_HOST_SECURITY 17 #define IKOT_LEDGER 18 #define IKOT_MASTER_DEVICE 19 #define IKOT_TASK_NAME 20 #define IKOT_SUBSYSTEM 21 #define IKOT_IO_DONE_QUEUE 22 #define IKOT_SEMAPHORE 23 #define IKOT_LOCK_SET 24 #define IKOT_CLOCK 25 #define IKOT_CLOCK_CTRL 26 #define IKOT_IOKIT_SPARE 27 #define IKOT_NAMED_ENTRY 28 #define IKOT_IOKIT_CONNECT 29 #define IKOT_IOKIT_OBJECT 30 #define IKOT_UPL 31 #define IKOT_MEM_OBJ_CONTROL 32 #define IKOT_AU_SESSIONPORT 33 #define IKOT_FILEPORT 34 #define IKOT_LABELH 35 #define IKOT_TASK_RESUME 36 #define IKOT_VOUCHER 37 #define IKOT_VOUCHER_ATTR_CONTROL 38
  • 15. | Ā© 2017 by ANTID0TE All rights reserved Examples ā€¢ kobject always points to an IKOT specified data structure 15
  • 16. What are Mach Messages?
  • 17. | Ā© 2017 by ANTID0TE All rights reserved What are Mach Messages? ā€¢ data structures sent to or received from Mach Ports ā€“ header with routing information for kernel ā€“ optionally descriptors for COMPLEX messages ā€“ data that is only between sender and receiver ā€¢ used for IPC and the Mach API ā€¢ sent to kernel via mach traps 17
  • 18. | Ā© 2017 by ANTID0TE All rights reserved Simple vs. Complex Messages ā€¢ simple messages are just data blobs ā€¢ complex messages contain descriptors with special meaning for kernel ā€“ MACH_MSG_PORT_DESCRIPTOR - embedding a port in a message ā€“ MACH_MSG_OOL_DESCRIPTOR - attaching OOL data to message ā€“ MACH_MSG_OOL_PORTS_DESCRIPTOR - attaching OOL ports array to message 18 typedef struct { mach_msg_header_t header; char body[]; } mach_msg_simple_t; typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_descriptor_t desc[x]; char data[]; } mach_msg_complex_t;
  • 19. | Ā© 2017 by ANTID0TE All rights reserved Mach Message Header 19 typedef struct { mach_msg_bits_t msgh_bits; mach_msg_size_t msgh_size; mach_port_t msgh_remote_port; mach_port_t msgh_local_port; mach_port_name_t msgh_voucher_port; mach_msg_id_t msgh_id; } mach_msg_header_t; where to send to where to get reply from id between sender and receiver
  • 20. | Ā© 2017 by ANTID0TE All rights reserved Sending and Receiving Messages ā€¢ Mach messages are sent via mach traps 20 mach_msg_return_t mach_msg(msg, option, send_size, rcv_size, rcv_name, timeout, notify) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_size; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_return_t mach_msg_overwrite(msg, option, send_size, rcv_limit, rcv_name, timeout, notify, rcv_msg, rcv_scatter_size) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_limit; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_header_t *rcv_msg; mach_msg_size_t rcv_scatter_size;
  • 21. | Ā© 2017 by ANTID0TE All rights reserved Sending Mach Messages (Function Overview) 21
  • 22. | Ā© 2017 by ANTID0TE All rights reserved What is the Mach API? ā€¢ programming interface offering huge number of functions ā€¢ internally converts C style function calls into messages ā€¢ first parameter is always the kernel object port to send message to ā€¢ usually they manipulate the objects behind the kernel object ports ā€¢ special code path detects if receiver=ipc_space_kernel ā€¢ headerā€™s id field selects what API is called 22
  • 23. | Ā© 2017 by ANTID0TE All rights reserved Mach API Example: vm_write() ā€¢ C level call to vm_write() automatically converted into Mach message ā€“ target_task set as remote port ā€“ id set to 3807 23 typedef struct { mach_msg_header_t Head; /* start of the kernel processed data */ mach_msg_body_t msgh_body; mach_msg_ool_descriptor_t data; /* end of the kernel processed data */ NDR_record_t NDR; vm_address_t address; mach_msg_type_number_t dataCnt; } __Request__vm_write_t; kern_return_t vm_write (vm_task_t target_task, vm_address_t address, pointer_t data, mach_msg_type_number_t data_count);
  • 25. | Ā© 2017 by ANTID0TE All rights reserved Ports as Target ā€¢ kernel object ports point to kernel data structures ā€¢ overwriting/replacing them would allow calling APIs on fake data structures ā€¢ wide variety of IKOT types means many types to choose from ā€“ IKOT_FILEPORT - fileglob structure has function pointer list ā€“ IKOT_IOKIT_CONNECT - C++ object with vtable pointer ā€“ ā€¦ 25
  • 26. | Ā© 2017 by ANTID0TE All rights reserved Filling the Heap with Ports? ā€¢ so should we create a lot of ports to fill the heap? ā€¢ would be possible but ports are stored in their own memory zone ā€¢ memory corruptions usually involve other memory zones ā€¢ cross zone attacks are possible but not KISS āž” letā€™s add a level of indirection 26
  • 27. | Ā© 2017 by ANTID0TE All rights reserved Filling the Heap with Pointers to Ports? ā€¢ instead of filling the heap with ipc_port_t structures fill it with pointers ā€¢ overwriting a pointer to an ipc_port_t still allows to create a fake port ā€¢ idea is that pointers are likely allocated in same memory zones as buffers ā€¢ when in same memory zone exploitation gets a lot easier 27
  • 28. | Ā© 2017 by ANTID0TE All rights reserved How to fill the memory with Port pointers? ā€¢ we can fill the memory with pointers to ports by Mach messages ā€¢ we use MACH_MSG_OOL_PORTS_DESCRIPTOR for this ā€¢ kernel will allocate memory via kalloc() to store pointers in memory ā€¢ arbitrary sized allocations by sending right amount of ports 28 /* calculate length of data in bytes, rounding up */ ports_length = count * sizeof(mach_port_t); names_length = count * sizeof(mach_port_name_t); if (ports_length == 0) { return user_dsc; } data = kalloc(ports_length);
  • 29. | Ā© 2017 by ANTID0TE All rights reserved How to fill the memory with Port pointers? (II) ā€¢ sending enough messages will fill up the heap pretty quickly ā€¢ we can send MACH_PORT_NULL or MACH_PORT_DEAD 29
  • 30. | Ā© 2017 by ANTID0TE All rights reserved Poking holesā€¦ ā€¢ poking holes in the allocation is done by receiving selected messages ā€¢ kernel code will free the previously allocated memory ā€¢ deallocation is fine grained because we select what messages to receive ā€¢ keep in mind the heap randomization since iOS 9.2 30 /* copyout to memory allocated above */ void *data = dsc->address; if (copyoutmap(map, data, rcv_addr, names_length) != KERN_SUCCESS) *mr |= MACH_MSG_VM_SPACE; kfree(data, ports_length);
  • 31. | Ā© 2017 by ANTID0TE All rights reserved Corrupting Port Pointers ā€¢ when messages are received all ports within are registered in IPC space ā€¢ corrupting any of the allocated pointer lists allows injecting a fake port ā€¢ user space can access the fake port 31 /* copyout port rights carried in the message */ for ( i = 0; i < count ; i++) { ipc_object_t object = (ipc_object_t)objects[i]; *mr |= ipc_kmsg_copyout_object(space, object, disp, &names[i]); }
  • 33. | Ā© 2017 by ANTID0TE All rights reserved How to fake a port? (I) ā€¢ fake pointer must point to something that looks like a port ā€¢ we need to setup a number of fields for our port to work ā€“ io_bits - select one of the possible types and make it active ā€“ io_references - better give it some references ā€“ io_lock_data - must be valid lock data ā€“ kobject - pointer to a fake data structure ā€“ receiver - we cannot fill out because we donā€™t know ipc_space_kernel 33
  • 34. | Ā© 2017 by ANTID0TE All rights reserved How to fake a port? (II) ā€¢ fake port and fake data must be in attacker controlled memory ā€¢ it is required to know address of that memory ā€¢ easy to do for 64 bit devices (except iPhone 7) because of user land dereferences ā€¢ requires additional information leaks for iPhone 7 and 32 bit devicesā€Ø (unless already privileged outside the sandbox) 34
  • 35. | Ā© 2017 by ANTID0TE All rights reserved What can we do with such a faked port? ā€¢ because we cannot fill in receiver not a fully usable port ā€¢ it works fine when used as argument to ā€“ syscalls ā€“ mach traps ā€“ as additional parameter Mach API (not 1st argument) ā€¢ but it will NOT work as first argument to a MachAPIā€Ø (for this we need the receiver to be ipc_space_kernel) 35
  • 36. | Ā© 2017 by ANTID0TE All rights reserved Some Examples ā€¢ some examples of ports we can fake ā€“ IKOT_IOKIT_CONNECT - driver connection to a IOUserClient derived object ā€“ IKOT_CLOCK - clock object ā€“ IKOT_TASK - task object 36
  • 37. | Ā© 2017 by ANTID0TE All rights reserved Faking IOKit Driver Connection Ports ā€¢ ports of type IKOT_IOKIT_CONNECT can be used via iokit_user_client_trap() ā€¢ kobject pointer points to a C++ object ā€¢ good target because it allows control of the method table ā€¢ see ā€œHITB2013 - Tales from iOS 6 Exploitationā€ for example 37
  • 38. | Ā© 2017 by ANTID0TE All rights reserved Faking Clock Ports (I) ā€¢ ports of type IKOT_CLOCK can be used via clock_sleep_trap() ā€¢ kobject pointer points to a struct clock ā€¢ looks like a good target because there is a function pointer list 38 /* * Actual clock object data structure. Contains the machine * dependent operations list and clock operation ports. */ struct clock { clock_ops_t cl_ops; /* operations list */ struct ipc_port *cl_service; /* service port */ struct ipc_port *cl_control; /* control port */ }; pointer to list of function pointers
  • 39. | Ā© 2017 by ANTID0TE All rights reserved Faking Clock Ports (II) ā€¢ code of clock_sleep_internal() will not allow a fake clock struct ā€¢ only the valid SYSTEM_CLOCK pointer is accepted ā€¢ otherwise function errors out - triggering code execution not possible 39 validation against our fake clock struct pointer if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE);
  • 40. | Ā© 2017 by ANTID0TE All rights reserved if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE); Faking Clock Ports (III) ā€¢ wait a second! ā€¢ a wrong clock pointer will lead to KERN_FAILURE ā€¢ a good pointer with bad other arguments leads to KERN_INVALID_VALUE 40 error if our pointer is not pointing to the SYSTEM_CLOCK error if our pointer was okay but other arguments bad
  • 41. | Ā© 2017 by ANTID0TE All rights reserved Faking Clock Ports (IV) ā€¢ if we can change kobject we can bruteforce the SYSTEM_CLOCK address ā€¢ userland dereference makes this easy on 64 bit pre iPhone 7 ā€¢ this reveals pointer inside kernel image and therefore breaks KASLR 41 our_fake_port->io_bits = IKOT_CLOCK | IO_BITS_ACTIVE; our_fake_port->kobject = low_kernel_address; while (1) { our_fake_port->kobject+= 8; kret = clock_sleep_trap(magicport, 0x12345, 0, 0, NULL); if (kret != KERN_FAILURE) { break; } }
  • 42. | Ā© 2017 by ANTID0TE All rights reserved Faking Task Ports (I) ā€¢ ports of type IKOT_TASK have kobject pointer pointing to a task struct ā€¢ unfortunately cannot be used directly in task Mach API functions ā€¢ but there are other usages like ā€Ø ā€Ø pid_for_task() - return the pid for a given task 42 t1 = port_name_to_task(t); if (t1 == TASK_NULL) { err = KERN_FAILURE; goto pftout; } else { p = get_bsdtask_info(t1); if (p) { pid = proc_pid(p); reads pointer to struct proc from our fake struct task returns pid from without struct proc
  • 43. | Ā© 2017 by ANTID0TE All rights reserved Faking Task Ports (II) ā€¢ our fake IKOT_TASK port points to a fake task struct ā€¢ the bsd_info fields points anywhere in memory ā€¢ pid_for_task() will read back at offset 0x10 ā€¢ allows to read from anywhere in kernel memory 43
  • 44. | Ā© 2017 by ANTID0TE All rights reserved Faking Task Ports (III) ā€¢ if we can change kobject we can read everything ā€¢ userland dereference makes this easy on 64 bit pre iPhone 7 ā€¢ this allows to read important variables like ipc_space_kernel ā€¢ this means afterwards we can use Mach API with our fake port 44
  • 45. Our Port(al) to the Core Kernel Task Port
  • 46. | Ā© 2017 by ANTID0TE All rights reserved Kernel Task Port ā€¢ among all the ports in an iOS system the kernel task port is the holy grail ā€¢ with access to the kernel task port we can manipulate the kernel memory ā€“ vm_read - allows reading kernel memory ā€“ vm_write - allows writing kernel memory ā€“ vm_allocate - allows allocating memory inside the kernel address space ā€“ ā€¦ ā€¢ whoever has access to the kernel task port more or less controls the system ā€¢ to turn out fake task port into a kernel task port we need to know kernel_task and ipc_space kernel 46
  • 47. | Ā© 2017 by ANTID0TE All rights reserved Attack Plan for 64 bit devices (except iPhone 7) ā€¢ Corruption Phase - perform heap feng shui with OOL_PORTS_DESCRIPTORS - corrupt any of the ā€œsprayedā€ port pointers - receive all messages to get access to port ā€¢ Post Corruption Phase - fake a CLOCK port to break KASLR - via bruteforce of clock address - fake a TASK port and TASK struct to have arbitrary kernel read - read ipc_space_kernel and kernel_task - fake a kernel TASK port 47
  • 48. | Ā© 2017 by ANTID0TE All rights reserved Faking the KERNEL TASK Port (I) ā€¢ with ipc_space_kernel our fake ports can be used in Mach API ā€¢ with kernel_task we can fake a kernel task port ā€¢ mach API gives us read/write access to kernel memory ā€¢ Game Over! 48
  • 50. | Ā© 2017 by ANTID0TE All rights reserved Conclusion ā€¢ overwriting port pointers ā€“ allows to gain code execution ā€“ or full read write access to kernel memory ā€¢ heap feng shui with mach messages and OOL_PORTS_DESCRIPTOR ā€“ gives fine grained control over heap ā€“ fills heap with port pointers that when corrupted ā€¢ post corruption code is fully reusable for different corruptions (64bit before i7) 50